xloader | 3dba6300d34cd2fc6744ff6706c1f876d4fd42b3e3ed190dfab317ac3586b4d9

General

Target

CTM_50,000.exe
Size

324KB
MD5

0745a91ca11c4c208560564ec24451d7
SHA1

cd7d14c1b17841b118e4e1f1fc473612654f2f31
SHA256

4796e12d5a33b3b717b0ddc65286b9de7479e86bc91cc0bdb843722a5b62951b
SHA512

dfcf69496dd86e8e5d379c530899536a7a64c0ed5b4c05bac8282fee655541ea4d69df80e9d41026d260118825e8e0cbb64e8f8d2fbf0d1e0f868edfe72a5466
SSDEEP

6144:oBrf0xh3Hfr5YwuLpVtE/qpDVl2HwW429mdix4KRYLCeA8ntOOrdT0y:+rf0P3HD5YQ/qp5UHwWmix4TLCQXrd7

Score

10^/10

xloader eca0 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

eca0

Decoy

azappz.com

ruptiti.com

gewinntaservices.com

skip1-dndasasd.com

frithwtych.com

modularinmobiliaria.com

conwhot.club

drsarahcoxon.com

aplaycasinovhod.com

schaunmonksadv.com

rpm856.com

xn--vhq1km0kx70a.com

motheryer.com

coasttocoastballers.net

imitationdesign.com

newnoname.com

asiyim.com

orient-indonesia.com

rushmoremd.com

tridentking.co.uk

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2192-2-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/2192-7-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/2192-11-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/2556-18-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader
behavioral1/memory/2556-20-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2608	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

CTM_50,000.exeCTM_50,000.execmmon32.exe

description	pid	Process	procid_target
PID 1968 set thread context of 2192	1968	CTM_50,000.exe	28
PID 2192 set thread context of 1176	2192	CTM_50,000.exe	21
PID 2192 set thread context of 1176	2192	CTM_50,000.exe	21
PID 2556 set thread context of 1176	2556	cmmon32.exe	21

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

CTM_50,000.execmmon32.exe

pid	Process
2192	CTM_50,000.exe
2192	CTM_50,000.exe
2192	CTM_50,000.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe
2556	cmmon32.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

CTM_50,000.exeCTM_50,000.execmmon32.exe

pid	Process
1968	CTM_50,000.exe
2192	CTM_50,000.exe
2192	CTM_50,000.exe
2192	CTM_50,000.exe
2192	CTM_50,000.exe
2556	cmmon32.exe
2556	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CTM_50,000.execmmon32.exe

description	pid	Process
Token: SeDebugPrivilege	2192	CTM_50,000.exe
Token: SeDebugPrivilege	2556	cmmon32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

CTM_50,000.exeExplorer.EXEcmmon32.exe

description	pid	Process	procid_target
PID 1968 wrote to memory of 2192	1968	CTM_50,000.exe	28
PID 1968 wrote to memory of 2192	1968	CTM_50,000.exe	28
PID 1968 wrote to memory of 2192	1968	CTM_50,000.exe	28
PID 1968 wrote to memory of 2192	1968	CTM_50,000.exe	28
PID 1968 wrote to memory of 2192	1968	CTM_50,000.exe	28
PID 1176 wrote to memory of 2556	1176	Explorer.EXE	29
PID 1176 wrote to memory of 2556	1176	Explorer.EXE	29
PID 1176 wrote to memory of 2556	1176	Explorer.EXE	29
PID 1176 wrote to memory of 2556	1176	Explorer.EXE	29
PID 2556 wrote to memory of 2608	2556	cmmon32.exe	30
PID 2556 wrote to memory of 2608	2556	cmmon32.exe	30
PID 2556 wrote to memory of 2608	2556	cmmon32.exe	30
PID 2556 wrote to memory of 2608	2556	cmmon32.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\CTM_50,000.exe
  "C:\Users\Admin\AppData\Local\Temp\CTM_50,000.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\CTM_50,000.exe
    "C:\Users\Admin\AppData\Local\Temp\CTM_50,000.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\CTM_50,000.exe"
    3⤵
    - Deletes itself
    PID:2608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1176-9-0x00000000065A0000-0x0000000006667000-memory.dmp

Filesize
796KB

Download
memory/1176-24-0x00000000074F0000-0x000000000768B000-memory.dmp

Filesize
1.6MB

Download
memory/1176-21-0x00000000065A0000-0x0000000006667000-memory.dmp

Filesize
796KB

Download
memory/1176-13-0x00000000074F0000-0x000000000768B000-memory.dmp

Filesize
1.6MB

Download
memory/1968-1-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/1968-3-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1968-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2192-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2192-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2192-8-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/2192-12-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2192-5-0x00000000006E0000-0x00000000009E3000-memory.dmp

Filesize
3.0MB

Download
memory/2192-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2556-15-0x0000000000680000-0x000000000068D000-memory.dmp

Filesize
52KB

Download
memory/2556-17-0x0000000000680000-0x000000000068D000-memory.dmp

Filesize
52KB

Download
memory/2556-18-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/2556-19-0x0000000001F40000-0x0000000002243000-memory.dmp

Filesize
3.0MB

Download
memory/2556-20-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/2556-23-0x0000000001DB0000-0x0000000001E3F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads