xloader | 6bf22d3dad8fea65c751f514871c6cd2913727cbb700ebcfed482f0dcb04e639

Analysis

max time kernel
154s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER#710665_PDF.exe
Size

227KB
MD5

e3f8392aa03280bb36a3dc058e44fca5
SHA1

2f7efa75f8c1d791007a006bd820a2f735b7fb22
SHA256

cc0e5224224cd1137d4cdff798462d06a7e5e39e97858aac2ecc3c27b5c30b42
SHA512

5323da860079bf60e6f96dc6a99f2d50e086279b9563d1c5173ed3d17a02fbffa304be01c5f31e20c35e1d18c2891d00dda888cdaf54aae9e5c29b5381856faa
SSDEEP

6144:PUd4OmBdYEOOTIPm1+F0lwq/xBQe+UKy9q:CNsvOxPmsWlwq5togq

Score

10^/10

xloader usvr loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

usvr

Decoy

theblockmeatstore.com

drone-moment.com

srsfashionbd.com

kylayagerartwork.com

instagrams.tools

rosenwealth.com

indicraftsvilla.com

rswizard.com

irist.one

pubgclaimx14.com

thegeorgiahomefinder.com

unusualdog.com

kifayatikart.com

methodunit.net

bavarian-luxury.com

17391000.com

ipcsaveday.com

yael-b.com

pasionqueconecta.com

youngsvideography.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/3928-2-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3928-5-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/2260-13-0x0000000000AF0000-0x0000000000B18000-memory.dmp	xloader
behavioral2/memory/2260-15-0x0000000000AF0000-0x0000000000B18000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2252 set thread context of 3928	2252	ORDER#710665_PDF.exe	92
PID 3928 set thread context of 3300	3928	ORDER#710665_PDF.exe	55
PID 2260 set thread context of 3300	2260	wlanext.exe	55

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
3928	ORDER#710665_PDF.exe
3928	ORDER#710665_PDF.exe
3928	ORDER#710665_PDF.exe
3928	ORDER#710665_PDF.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe
2260	wlanext.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2252	ORDER#710665_PDF.exe
3928	ORDER#710665_PDF.exe
3928	ORDER#710665_PDF.exe
3928	ORDER#710665_PDF.exe
2260	wlanext.exe
2260	wlanext.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3928	ORDER#710665_PDF.exe
Token: SeDebugPrivilege	2260	wlanext.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 3928	2252	ORDER#710665_PDF.exe	92
PID 2252 wrote to memory of 3928	2252	ORDER#710665_PDF.exe	92
PID 2252 wrote to memory of 3928	2252	ORDER#710665_PDF.exe	92
PID 2252 wrote to memory of 3928	2252	ORDER#710665_PDF.exe	92
PID 3300 wrote to memory of 2260	3300	Explorer.EXE	93
PID 3300 wrote to memory of 2260	3300	Explorer.EXE	93
PID 3300 wrote to memory of 2260	3300	Explorer.EXE	93
PID 2260 wrote to memory of 1752	2260	wlanext.exe	94
PID 2260 wrote to memory of 1752	2260	wlanext.exe	94
PID 2260 wrote to memory of 1752	2260	wlanext.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Users\Admin\AppData\Local\Temp\ORDER#710665_PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\ORDER#710665_PDF.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Users\Admin\AppData\Local\Temp\ORDER#710665_PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\ORDER#710665_PDF.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3928
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\ORDER#710665_PDF.exe"
    3⤵
    PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3936 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:4632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2252-0-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2252-1-0x0000000000660000-0x0000000000662000-memory.dmp

Filesize
8KB

Download
memory/2260-17-0x0000000000F40000-0x0000000000FCF000-memory.dmp

Filesize
572KB

Download
memory/2260-12-0x0000000000F20000-0x0000000000F37000-memory.dmp

Filesize
92KB

Download
memory/2260-15-0x0000000000AF0000-0x0000000000B18000-memory.dmp

Filesize
160KB

Download
memory/2260-14-0x0000000001230000-0x000000000157A000-memory.dmp

Filesize
3.3MB

Download
memory/2260-13-0x0000000000AF0000-0x0000000000B18000-memory.dmp

Filesize
160KB

Download
memory/2260-9-0x0000000000F20000-0x0000000000F37000-memory.dmp

Filesize
92KB

Download
memory/3300-7-0x0000000008CC0000-0x0000000008E61000-memory.dmp

Filesize
1.6MB

Download
memory/3300-18-0x0000000007820000-0x0000000007906000-memory.dmp

Filesize
920KB

Download
memory/3300-20-0x0000000008CC0000-0x0000000008E61000-memory.dmp

Filesize
1.6MB

Download
memory/3300-21-0x0000000007820000-0x0000000007906000-memory.dmp

Filesize
920KB

Download
memory/3300-24-0x0000000007820000-0x0000000007906000-memory.dmp

Filesize
920KB

Download
memory/3928-3-0x0000000000A20000-0x0000000000D6A000-memory.dmp

Filesize
3.3MB

Download
memory/3928-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3928-6-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/3928-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download