xloader | 3a6526bd0319f9cacdfe469a2dcff21576336aee97e6bca996c4753178e4171c

General

Target

Payment_Advice MT103_PDF.exe
Size

1.3MB
MD5

73697bb26242562cc3b9fde3de369fcb
SHA1

7551d770c6358c3ec5483e12882a42eacc12e854
SHA256

6b63415f87f97a86a998a5b78bb16953a25b6a045df9a8593432169ec65bcaaf
SHA512

f1838d11737b8501b73c4afbe0d5b3fc3bf4ada6dd894985edaf707fc358a9ba24a291407eb1fa15a95a178df886469536e3a3994486d9c9966814851099b2ee
SSDEEP

24576:wmpZ76DOqfx8Dgyfx8DgM1dUEOePbzE+XsdainTlQwDZD2L:jZ76v58Dgy58DgM1dMeDzgaiHZK

Score

10^/10

xloader earz loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

earz

Decoy

halacoupon.com

anthos-labs.com

hagertylabs.net

l1992.com

856379580.xyz

rcbb-technologies.com

realhoggapparel.com

sauceprince.com

tootingcab.com

4chase5.com

ordergogibibimbap.com

nyj.xyz

dermixspa.com

premiergiftingco.com

razorcentric.com

mbrealtyadvisors.com

officialjazz.club

cctv006.com

hbcuatthepolls.info

prestamos-ya.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2444-12-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/2444-16-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1232-22-0x0000000000100000-0x0000000000128000-memory.dmp	xloader
behavioral1/memory/1232-24-0x0000000000100000-0x0000000000128000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1624 cmd.exe

pid	process
1624	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Payment_Advice MT103_PDF.exePayment_Advice MT103_PDF.execmmon32.exe

description	pid	process	target process
PID 1808 set thread context of 2444	1808	Payment_Advice MT103_PDF.exe	Payment_Advice MT103_PDF.exe
PID 2444 set thread context of 1212	2444	Payment_Advice MT103_PDF.exe	Explorer.EXE
PID 1232 set thread context of 1212	1232	cmmon32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Payment_Advice MT103_PDF.execmmon32.exe

pid	process
2444	Payment_Advice MT103_PDF.exe
2444	Payment_Advice MT103_PDF.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Payment_Advice MT103_PDF.execmmon32.exe

pid process

2444 Payment_Advice MT103_PDF.exe
2444 Payment_Advice MT103_PDF.exe
2444 Payment_Advice MT103_PDF.exe
1232 cmmon32.exe
1232 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Payment_Advice MT103_PDF.execmmon32.exe

description pid process

Token: SeDebugPrivilege 2444 Payment_Advice MT103_PDF.exe
Token: SeDebugPrivilege 1232 cmmon32.exe

description	pid	process
Token: SeDebugPrivilege	2444	Payment_Advice MT103_PDF.exe
Token: SeDebugPrivilege	1232	cmmon32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Payment_Advice MT103_PDF.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 1808 wrote to memory of 2444	1808	Payment_Advice MT103_PDF.exe	Payment_Advice MT103_PDF.exe
PID 1808 wrote to memory of 2444	1808	Payment_Advice MT103_PDF.exe	Payment_Advice MT103_PDF.exe
PID 1808 wrote to memory of 2444	1808	Payment_Advice MT103_PDF.exe	Payment_Advice MT103_PDF.exe
PID 1808 wrote to memory of 2444	1808	Payment_Advice MT103_PDF.exe	Payment_Advice MT103_PDF.exe
PID 1808 wrote to memory of 2444	1808	Payment_Advice MT103_PDF.exe	Payment_Advice MT103_PDF.exe
PID 1808 wrote to memory of 2444	1808	Payment_Advice MT103_PDF.exe	Payment_Advice MT103_PDF.exe
PID 1808 wrote to memory of 2444	1808	Payment_Advice MT103_PDF.exe	Payment_Advice MT103_PDF.exe
PID 1212 wrote to memory of 1232	1212	Explorer.EXE	cmmon32.exe
PID 1212 wrote to memory of 1232	1212	Explorer.EXE	cmmon32.exe
PID 1212 wrote to memory of 1232	1212	Explorer.EXE	cmmon32.exe
PID 1212 wrote to memory of 1232	1212	Explorer.EXE	cmmon32.exe
PID 1232 wrote to memory of 1624	1232	cmmon32.exe	cmd.exe
PID 1232 wrote to memory of 1624	1232	cmmon32.exe	cmd.exe
PID 1232 wrote to memory of 1624	1232	cmmon32.exe	cmd.exe
PID 1232 wrote to memory of 1624	1232	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\Payment_Advice MT103_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Payment_Advice MT103_PDF.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Local\Temp\Payment_Advice MT103_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Payment_Advice MT103_PDF.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Payment_Advice MT103_PDF.exe"
3⤵
- Deletes itself
PID:1624

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1212-17-0x0000000003A90000-0x0000000003B90000-memory.dmp

Filesize
1024KB

Download
memory/1212-28-0x0000000002DE0000-0x0000000002EAB000-memory.dmp

Filesize
812KB

Download
memory/1212-19-0x0000000002DE0000-0x0000000002EAB000-memory.dmp

Filesize
812KB

Download
memory/1232-27-0x0000000001E70000-0x0000000001EFF000-memory.dmp

Filesize
572KB

Download
memory/1232-24-0x0000000000100000-0x0000000000128000-memory.dmp

Filesize
160KB

Download
memory/1232-23-0x0000000002000000-0x0000000002303000-memory.dmp

Filesize
3.0MB

Download
memory/1232-22-0x0000000000100000-0x0000000000128000-memory.dmp

Filesize
160KB

Download
memory/1232-21-0x0000000000A60000-0x0000000000A6D000-memory.dmp

Filesize
52KB

Download
memory/1232-20-0x0000000000A60000-0x0000000000A6D000-memory.dmp

Filesize
52KB

Download
memory/1808-6-0x0000000005E20000-0x0000000005EBA000-memory.dmp

Filesize
616KB

Download
memory/1808-7-0x00000000005F0000-0x000000000061E000-memory.dmp

Filesize
184KB

Download
memory/1808-1-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/1808-13-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/1808-2-0x0000000001000000-0x0000000001040000-memory.dmp

Filesize
256KB

Download
memory/1808-3-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/1808-4-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/1808-5-0x0000000001000000-0x0000000001040000-memory.dmp

Filesize
256KB

Download
memory/1808-0-0x0000000001320000-0x0000000001466000-memory.dmp

Filesize
1.3MB

Download
memory/2444-14-0x00000000009A0000-0x0000000000CA3000-memory.dmp

Filesize
3.0MB

Download
memory/2444-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2444-16-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2444-18-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2444-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2444-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2444-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads