xloader | 9a70c87569365146a5ae6d0d933c54e53784f268ed764285e2df61691864249a

General

Target

Quotation 85663455.exe
Size

769KB
MD5

78a48c9ca7cb69737740772bfbff1db7
SHA1

2079cb5fc6559e71f264144c92132a5a4e174962
SHA256

64550a0d3d1c28b1ec50006327a707b7287997aa7ca146153440935a033ccb97
SHA512

710356de5059511b606a553675427b905822bc8ee19bfec3d2ad903d1c22265f69273ab59e5b27d092bac088719de43e61ebd2ed67ccb426bdc9eea02eddc971
SSDEEP

12288:2ToRXAGxYR+PMnf2EKXNzo/Yvf3CJDvrHzuaImz1NZ1eCiHUQhnmw2o5f5JOEPpQ:AoRXcRH2XzgYvvCpzXIwLiFnl2IRHPi

Score

10^/10

xloader m7gs loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

m7gs

Decoy

goodxxxhigh.com

blun33.com

mcbt328.com

sxtdba.com

sagalocal.icu

spentonindustries.com

greatexpectationssouthshore.com

herzenco.com

duoxizhe.com

h-mawari.net

jeevicain.com

sculpted-vegan.net

vipchainwallet.com

smartanalytics.info

jiujirat.com

canhoquan8-centralpremium.com

pasarandir.com

mario17331.com

dillonsavage.com

ladiesboxx.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2588-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2588-16-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2388-21-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader
behavioral1/memory/2388-23-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2696 cmd.exe

pid	process
2696	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Quotation 85663455.exeQuotation 85663455.exeNAPSTAT.EXE

description	pid	process	target process
PID 2292 set thread context of 2588	2292	Quotation 85663455.exe	Quotation 85663455.exe
PID 2588 set thread context of 1200	2588	Quotation 85663455.exe	Explorer.EXE
PID 2388 set thread context of 1200	2388	NAPSTAT.EXE	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

Quotation 85663455.exeNAPSTAT.EXE

pid	process
2588	Quotation 85663455.exe
2588	Quotation 85663455.exe
2388	NAPSTAT.EXE
2388	NAPSTAT.EXE
2388	NAPSTAT.EXE
2388	NAPSTAT.EXE
2388	NAPSTAT.EXE
2388	NAPSTAT.EXE
2388	NAPSTAT.EXE
2388	NAPSTAT.EXE
2388	NAPSTAT.EXE
2388	NAPSTAT.EXE
2388	NAPSTAT.EXE
2388	NAPSTAT.EXE
2388	NAPSTAT.EXE
2388	NAPSTAT.EXE
2388	NAPSTAT.EXE
2388	NAPSTAT.EXE
2388	NAPSTAT.EXE
2388	NAPSTAT.EXE
2388	NAPSTAT.EXE
2388	NAPSTAT.EXE
2388	NAPSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Quotation 85663455.exeNAPSTAT.EXE

pid process

2588 Quotation 85663455.exe
2588 Quotation 85663455.exe
2588 Quotation 85663455.exe
2388 NAPSTAT.EXE
2388 NAPSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Quotation 85663455.exeNAPSTAT.EXE

description pid process

Token: SeDebugPrivilege 2588 Quotation 85663455.exe
Token: SeDebugPrivilege 2388 NAPSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	2588	Quotation 85663455.exe
Token: SeDebugPrivilege	2388	NAPSTAT.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Quotation 85663455.exeExplorer.EXENAPSTAT.EXE

description	pid	process	target process
PID 2292 wrote to memory of 2588	2292	Quotation 85663455.exe	Quotation 85663455.exe
PID 2292 wrote to memory of 2588	2292	Quotation 85663455.exe	Quotation 85663455.exe
PID 2292 wrote to memory of 2588	2292	Quotation 85663455.exe	Quotation 85663455.exe
PID 2292 wrote to memory of 2588	2292	Quotation 85663455.exe	Quotation 85663455.exe
PID 2292 wrote to memory of 2588	2292	Quotation 85663455.exe	Quotation 85663455.exe
PID 2292 wrote to memory of 2588	2292	Quotation 85663455.exe	Quotation 85663455.exe
PID 2292 wrote to memory of 2588	2292	Quotation 85663455.exe	Quotation 85663455.exe
PID 1200 wrote to memory of 2388	1200	Explorer.EXE	NAPSTAT.EXE
PID 1200 wrote to memory of 2388	1200	Explorer.EXE	NAPSTAT.EXE
PID 1200 wrote to memory of 2388	1200	Explorer.EXE	NAPSTAT.EXE
PID 1200 wrote to memory of 2388	1200	Explorer.EXE	NAPSTAT.EXE
PID 2388 wrote to memory of 2696	2388	NAPSTAT.EXE	cmd.exe
PID 2388 wrote to memory of 2696	2388	NAPSTAT.EXE	cmd.exe
PID 2388 wrote to memory of 2696	2388	NAPSTAT.EXE	cmd.exe
PID 2388 wrote to memory of 2696	2388	NAPSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\Quotation 85663455.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation 85663455.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\Quotation 85663455.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation 85663455.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Quotation 85663455.exe"
3⤵
- Deletes itself
PID:2696

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1200-18-0x0000000007470000-0x0000000007604000-memory.dmp

Filesize
1.6MB

Download
memory/1200-27-0x0000000007470000-0x0000000007604000-memory.dmp

Filesize
1.6MB

Download
memory/1200-25-0x0000000003B80000-0x0000000003D80000-memory.dmp

Filesize
2.0MB

Download
memory/2292-13-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2292-2-0x0000000004A60000-0x0000000004AA0000-memory.dmp

Filesize
256KB

Download
memory/2292-5-0x0000000004A60000-0x0000000004AA0000-memory.dmp

Filesize
256KB

Download
memory/2292-6-0x0000000007ED0000-0x0000000007F6E000-memory.dmp

Filesize
632KB

Download
memory/2292-7-0x0000000000890000-0x00000000008BE000-memory.dmp

Filesize
184KB

Download
memory/2292-1-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2292-4-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2292-3-0x0000000000500000-0x0000000000518000-memory.dmp

Filesize
96KB

Download
memory/2292-0-0x00000000011D0000-0x0000000001296000-memory.dmp

Filesize
792KB

Download
memory/2388-24-0x0000000000910000-0x00000000009A0000-memory.dmp

Filesize
576KB

Download
memory/2388-23-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2388-22-0x0000000002040000-0x0000000002343000-memory.dmp

Filesize
3.0MB

Download
memory/2388-21-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2388-20-0x0000000000A60000-0x0000000000AA6000-memory.dmp

Filesize
280KB

Download
memory/2388-19-0x0000000000A60000-0x0000000000AA6000-memory.dmp

Filesize
280KB

Download
memory/2588-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2588-17-0x0000000000180000-0x0000000000191000-memory.dmp

Filesize
68KB

Download
memory/2588-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2588-14-0x0000000000A20000-0x0000000000D23000-memory.dmp

Filesize
3.0MB

Download
memory/2588-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2588-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2588-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads