xloader | fd44538306bd2862cfa6b1f7beac43d5736b43ffa070ea5c188573daf564fb00

General

Target

Inv_7623980.exe
Size

821KB
MD5

fd45ab42cffc17209261bff2430c8245
SHA1

d06143966b8ca02db582f5111fc275844796786f
SHA256

6afa5e287f69f392b8481a94ebb1729c606a1f1023820e79e942ad40dfe96859
SHA512

c6326b0d3f029bfe7b9d2cee32b89dee3b46b921af5f342958971d5c5be4e2be6fd9d3ca518b5215f6f0a3572d4f739922f1f7392c67acd1967c42d99145252f
SSDEEP

12288:vMrP7wwt12QLaX3miWy4hTniOHDA4HnIsNGEG9gfy27ONd+5nDCZ+ug3vI4SeZ91:ErP7ww4V4h2wChgfVu8q7mo5oFCEkv

Score

10^/10

xloader m6b5 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

m6b5

Decoy

ixtarbelize.com

pheamal.com

daiyncc.com

staydoubted.com

laagerlitigation.club

sukrantastansakarya.com

esupport.ltd

vetscontracting.net

themuslimlife.coach

salmanairs.com

somatictherapyservices.com

lastminuteminister.com

comunicarbuenosaires.com

kazuya.tech

insightlyservicedev.com

redevelopment38subhashnagar.com

thefutureinvestor.com

simplysu.com

lagu45.com

livingstonpistolpermit.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.

Processes:

resource yara_rule

behavioral1/memory/2208-3-0x00000000003C0000-0x00000000003D2000-memory.dmp CustAttr

resource	yara_rule
behavioral1/memory/2208-3-0x00000000003C0000-0x00000000003D2000-memory.dmp	CustAttr

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2548-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2548-17-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2940-22-0x0000000000090000-0x00000000000B9000-memory.dmp	xloader
behavioral1/memory/2940-24-0x0000000000090000-0x00000000000B9000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

Inv_7623980.exeRegSvcs.exewuapp.exe

description	pid	process	target process
PID 2208 set thread context of 2548	2208	Inv_7623980.exe	RegSvcs.exe
PID 2548 set thread context of 1196	2548	RegSvcs.exe	Explorer.EXE
PID 2940 set thread context of 1196	2940	wuapp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

RegSvcs.exewuapp.exe

pid	process
2548	RegSvcs.exe
2548	RegSvcs.exe
2940	wuapp.exe
2940	wuapp.exe
2940	wuapp.exe
2940	wuapp.exe
2940	wuapp.exe
2940	wuapp.exe
2940	wuapp.exe
2940	wuapp.exe
2940	wuapp.exe
2940	wuapp.exe
2940	wuapp.exe
2940	wuapp.exe
2940	wuapp.exe
2940	wuapp.exe
2940	wuapp.exe
2940	wuapp.exe
2940	wuapp.exe
2940	wuapp.exe
2940	wuapp.exe
2940	wuapp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exewuapp.exe

pid process

2548 RegSvcs.exe
2548 RegSvcs.exe
2548 RegSvcs.exe
2940 wuapp.exe
2940 wuapp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegSvcs.exewuapp.exe

description pid process

Token: SeDebugPrivilege 2548 RegSvcs.exe
Token: SeDebugPrivilege 2940 wuapp.exe

description	pid	process
Token: SeDebugPrivilege	2548	RegSvcs.exe
Token: SeDebugPrivilege	2940	wuapp.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Inv_7623980.exeExplorer.EXEwuapp.exe

description	pid	process	target process
PID 2208 wrote to memory of 2548	2208	Inv_7623980.exe	RegSvcs.exe
PID 2208 wrote to memory of 2548	2208	Inv_7623980.exe	RegSvcs.exe
PID 2208 wrote to memory of 2548	2208	Inv_7623980.exe	RegSvcs.exe
PID 2208 wrote to memory of 2548	2208	Inv_7623980.exe	RegSvcs.exe
PID 2208 wrote to memory of 2548	2208	Inv_7623980.exe	RegSvcs.exe
PID 2208 wrote to memory of 2548	2208	Inv_7623980.exe	RegSvcs.exe
PID 2208 wrote to memory of 2548	2208	Inv_7623980.exe	RegSvcs.exe
PID 2208 wrote to memory of 2548	2208	Inv_7623980.exe	RegSvcs.exe
PID 2208 wrote to memory of 2548	2208	Inv_7623980.exe	RegSvcs.exe
PID 2208 wrote to memory of 2548	2208	Inv_7623980.exe	RegSvcs.exe
PID 1196 wrote to memory of 2940	1196	Explorer.EXE	wuapp.exe
PID 1196 wrote to memory of 2940	1196	Explorer.EXE	wuapp.exe
PID 1196 wrote to memory of 2940	1196	Explorer.EXE	wuapp.exe
PID 1196 wrote to memory of 2940	1196	Explorer.EXE	wuapp.exe
PID 1196 wrote to memory of 2940	1196	Explorer.EXE	wuapp.exe
PID 1196 wrote to memory of 2940	1196	Explorer.EXE	wuapp.exe
PID 1196 wrote to memory of 2940	1196	Explorer.EXE	wuapp.exe
PID 2940 wrote to memory of 2060	2940	wuapp.exe	cmd.exe
PID 2940 wrote to memory of 2060	2940	wuapp.exe	cmd.exe
PID 2940 wrote to memory of 2060	2940	wuapp.exe	cmd.exe
PID 2940 wrote to memory of 2060	2940	wuapp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe
"C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2544

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2488

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2604

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2436

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2444

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2452

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2484

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2504

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2552

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1688

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2944

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2948

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2680

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1936

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1724

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2960

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2316

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1600

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2520

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2832

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2820

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2836

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2844

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2824

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:2060

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-28-0x0000000004E90000-0x0000000004FBE000-memory.dmp

Filesize
1.2MB

Download
memory/1196-19-0x0000000004E90000-0x0000000004FBE000-memory.dmp

Filesize
1.2MB

Download
memory/1196-16-0x0000000003B00000-0x0000000003C00000-memory.dmp

Filesize
1024KB

Download
memory/2208-0-0x0000000001040000-0x0000000001114000-memory.dmp

Filesize
848KB

Download
memory/2208-1-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download
memory/2208-2-0x0000000004900000-0x0000000004940000-memory.dmp

Filesize
256KB

Download
memory/2208-3-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2208-4-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download
memory/2208-5-0x0000000004900000-0x0000000004940000-memory.dmp

Filesize
256KB

Download
memory/2208-6-0x0000000008160000-0x00000000081DC000-memory.dmp

Filesize
496KB

Download
memory/2208-7-0x0000000000A30000-0x0000000000A64000-memory.dmp

Filesize
208KB

Download
memory/2208-13-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-14-0x0000000000AA0000-0x0000000000DA3000-memory.dmp

Filesize
3.0MB

Download
memory/2548-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2548-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2548-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2548-18-0x0000000000140000-0x0000000000150000-memory.dmp

Filesize
64KB

Download
memory/2548-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2548-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2940-20-0x00000000008F0000-0x00000000008FB000-memory.dmp

Filesize
44KB

Download
memory/2940-21-0x00000000008F0000-0x00000000008FB000-memory.dmp

Filesize
44KB

Download
memory/2940-22-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/2940-23-0x0000000002020000-0x0000000002323000-memory.dmp

Filesize
3.0MB

Download
memory/2940-24-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/2940-26-0x0000000000580000-0x000000000060F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads