xloader | c5cbfde3efbf5f93df14eb9110e9d747a966f74278c9cbeab6f875607009459e

General

Target

PO-001021521.exe
Size

286KB
MD5

b906a265b5e3a8afb18f2d336319ca86
SHA1

1f7b2432b7425828ae800a67313d75e30e3076a2
SHA256

0a2e7c9ad53b5355f4f723912d07f9dae7d1e2d72ac62758cdc44196f124945e
SHA512

7b4095b9f72ebf2b5ed67de9e4d28b37ff9ecc2d9178bd8fa3894cdbb49f637582af74f58c7e03e00446c4c7f8fe435bc7e65a6fa27599bfc4291c2f2480aa30
SSDEEP

6144:AqjI6KE6IeyEZBEh/7fsCMH2qKZsQTZVPSt:NDKE6kxhaH2hZ/q

Score

10^/10

xloader gzcj loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

gzcj

Decoy

localzhops.com

cfsb114.com

sweetiefilms.com

cyclewatts.com

bubblesportsevent.com

halloween-r-us.com

rcdzsm.com

reelatioens.com

uniquegranitebenefits.com

chainlinkdex.com

topcoolhlist.com

ivy-apps.com

shopmajesticqueendom.com

ddiesels.com

ventajuguetessexuales.online

daylight93245.com

heiyingxitong.com

personalfashion.guru

usadrugfree.com

beyondcareersuccess.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2552-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2552-16-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2700-23-0x00000000000B0000-0x00000000000D9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2468 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

PO-001021521.exe

pid process

2412 PO-001021521.exe
2412 PO-001021521.exe

pid	process
2468	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO-001021521.exePO-001021521.execscript.exe

description	pid	process	target process
PID 2412 set thread context of 2552	2412	PO-001021521.exe	PO-001021521.exe
PID 2552 set thread context of 1208	2552	PO-001021521.exe	Explorer.EXE
PID 2700 set thread context of 1208	2700	cscript.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

PO-001021521.exePO-001021521.execscript.exe

pid	process
2412	PO-001021521.exe
2412	PO-001021521.exe
2412	PO-001021521.exe
2412	PO-001021521.exe
2552	PO-001021521.exe
2552	PO-001021521.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe
2700	cscript.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

PO-001021521.exePO-001021521.execscript.exe

pid process

2412 PO-001021521.exe
2552 PO-001021521.exe
2552 PO-001021521.exe
2552 PO-001021521.exe
2700 cscript.exe
2700 cscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO-001021521.execscript.exe

description pid process

Token: SeDebugPrivilege 2552 PO-001021521.exe
Token: SeDebugPrivilege 2700 cscript.exe

description	pid	process
Token: SeDebugPrivilege	2552	PO-001021521.exe
Token: SeDebugPrivilege	2700	cscript.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

PO-001021521.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 2412 wrote to memory of 2552	2412	PO-001021521.exe	PO-001021521.exe
PID 2412 wrote to memory of 2552	2412	PO-001021521.exe	PO-001021521.exe
PID 2412 wrote to memory of 2552	2412	PO-001021521.exe	PO-001021521.exe
PID 2412 wrote to memory of 2552	2412	PO-001021521.exe	PO-001021521.exe
PID 2412 wrote to memory of 2552	2412	PO-001021521.exe	PO-001021521.exe
PID 1208 wrote to memory of 2700	1208	Explorer.EXE	cscript.exe
PID 1208 wrote to memory of 2700	1208	Explorer.EXE	cscript.exe
PID 1208 wrote to memory of 2700	1208	Explorer.EXE	cscript.exe
PID 1208 wrote to memory of 2700	1208	Explorer.EXE	cscript.exe
PID 2700 wrote to memory of 2468	2700	cscript.exe	cmd.exe
PID 2700 wrote to memory of 2468	2700	cscript.exe	cmd.exe
PID 2700 wrote to memory of 2468	2700	cscript.exe	cmd.exe
PID 2700 wrote to memory of 2468	2700	cscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\PO-001021521.exe
"C:\Users\Admin\AppData\Local\Temp\PO-001021521.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2412

C:\Users\Admin\AppData\Local\Temp\PO-001021521.exe
"C:\Users\Admin\AppData\Local\Temp\PO-001021521.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO-001021521.exe"
3⤵
- Deletes itself
PID:2468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1gbwwte3logn.dll

Filesize
11KB

MD5
558a057a766736289b2da31eab04db53

SHA1
ab48d1f8acdae775a154566fe7152c04eb6a7d1b

SHA256
b4607d330754a557a009ce50c3ab252743b269fca2fa99500ec58570e393b699

SHA512
d582be64cd5edf6fe608a25cb8661c5e97502b2afe817d6b3c8f7144c8c1e078afb94ce826c4bbdc35ee72cc7702d4920e00da02021418465856cd460a81d79f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd97AE.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/1208-17-0x0000000006B70000-0x0000000006CF7000-memory.dmp

Filesize
1.5MB

Download
memory/1208-24-0x00000000030D0000-0x00000000031D0000-memory.dmp

Filesize
1024KB

Download
memory/2412-12-0x0000000074340000-0x0000000074347000-memory.dmp

Filesize
28KB

Download
memory/2412-14-0x0000000074340000-0x0000000074347000-memory.dmp

Filesize
28KB

Download
memory/2552-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2552-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2700-20-0x0000000000FB0000-0x0000000000FD2000-memory.dmp

Filesize
136KB

Download
memory/2700-22-0x0000000000FB0000-0x0000000000FD2000-memory.dmp

Filesize
136KB

Download
memory/2700-23-0x00000000000B0000-0x00000000000D9000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads