xloader | d3df1a5eed27cd76b426b3b041bf7acd61e50276461c888cf761f3fbd1cf06db

General

Target

BL01345678053567.exe
Size

44KB
MD5

34f07a647ee6506ce224b934e0c53d46
SHA1

f2063199535bc94679ff93ac54fde30927e9f3a0
SHA256

d3df1a5eed27cd76b426b3b041bf7acd61e50276461c888cf761f3fbd1cf06db
SHA512

0df0314cea9acf6a8c3ce9510c74781abc5f54b05ced0a974dc611a0f5b4a6d18da27ee4b9fb7ba6ffcabc1ff7ef183a5220a5b8a2ae83da752382f94666d71b

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.hnchotels.com/mb7q/

Decoy

thezensub.com

wapedir.com

itt.xyz

mindframediscovery.com

sitesolved.net

beyju.store

belatopapparel.xyz

ridgefitct.com

huanb.com

brustwarzentattoo.com

jlasoluciones.club

sinoagrifcf.com

theskineditco.com

ccsdinstructer.com

wealththinker.com

pradnyanamaya.com

szmsbk.com

meezingo.com

ivyshermanboutique.com

tkbeads.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1080-10-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1080-11-0x000000000041CF60-mapping.dmp	xloader
behavioral1/memory/268-21-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

616 cmd.exe

pid	process
616	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

BL01345678053567.exe

pid	process
1832	BL01345678053567.exe
1832	BL01345678053567.exe
1832	BL01345678053567.exe
1832	BL01345678053567.exe
1832	BL01345678053567.exe
1832	BL01345678053567.exe
1832	BL01345678053567.exe
1832	BL01345678053567.exe
1832	BL01345678053567.exe
1832	BL01345678053567.exe
1832	BL01345678053567.exe
1832	BL01345678053567.exe
1832	BL01345678053567.exe
1832	BL01345678053567.exe
1832	BL01345678053567.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

BL01345678053567.exeBL01345678053567.exeexplorer.exe

description	pid	process	target process
PID 1832 set thread context of 1080	1832	BL01345678053567.exe	BL01345678053567.exe
PID 1080 set thread context of 1244	1080	BL01345678053567.exe	Explorer.EXE
PID 268 set thread context of 1244	268	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1644 timeout.exe

pid	process
1644	timeout.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

BL01345678053567.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	BL01345678053567.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	BL01345678053567.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	BL01345678053567.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	BL01345678053567.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

BL01345678053567.exeBL01345678053567.exeexplorer.exe

pid	process
1832	BL01345678053567.exe
1832	BL01345678053567.exe
1832	BL01345678053567.exe
1080	BL01345678053567.exe
1080	BL01345678053567.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

BL01345678053567.exeexplorer.exe

pid process

1080 BL01345678053567.exe
1080 BL01345678053567.exe
1080 BL01345678053567.exe
268 explorer.exe
268 explorer.exe

pid	process
1080	BL01345678053567.exe
1080	BL01345678053567.exe
1080	BL01345678053567.exe
268	explorer.exe
268	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

BL01345678053567.exeBL01345678053567.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1832	BL01345678053567.exe
Token: SeDebugPrivilege	1080	BL01345678053567.exe
Token: SeDebugPrivilege	268	explorer.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE
1244 Explorer.EXE
1244 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE
1244 Explorer.EXE
1244 Explorer.EXE

pid	process
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE

pid	process
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

BL01345678053567.execmd.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 1832 wrote to memory of 1716	1832	BL01345678053567.exe	cmd.exe
PID 1832 wrote to memory of 1716	1832	BL01345678053567.exe	cmd.exe
PID 1832 wrote to memory of 1716	1832	BL01345678053567.exe	cmd.exe
PID 1832 wrote to memory of 1716	1832	BL01345678053567.exe	cmd.exe
PID 1716 wrote to memory of 1644	1716	cmd.exe	timeout.exe
PID 1716 wrote to memory of 1644	1716	cmd.exe	timeout.exe
PID 1716 wrote to memory of 1644	1716	cmd.exe	timeout.exe
PID 1716 wrote to memory of 1644	1716	cmd.exe	timeout.exe
PID 1832 wrote to memory of 1080	1832	BL01345678053567.exe	BL01345678053567.exe
PID 1832 wrote to memory of 1080	1832	BL01345678053567.exe	BL01345678053567.exe
PID 1832 wrote to memory of 1080	1832	BL01345678053567.exe	BL01345678053567.exe
PID 1832 wrote to memory of 1080	1832	BL01345678053567.exe	BL01345678053567.exe
PID 1832 wrote to memory of 1080	1832	BL01345678053567.exe	BL01345678053567.exe
PID 1832 wrote to memory of 1080	1832	BL01345678053567.exe	BL01345678053567.exe
PID 1832 wrote to memory of 1080	1832	BL01345678053567.exe	BL01345678053567.exe
PID 1832 wrote to memory of 1080	1832	BL01345678053567.exe	BL01345678053567.exe
PID 1244 wrote to memory of 268	1244	Explorer.EXE	explorer.exe
PID 1244 wrote to memory of 268	1244	Explorer.EXE	explorer.exe
PID 1244 wrote to memory of 268	1244	Explorer.EXE	explorer.exe
PID 1244 wrote to memory of 268	1244	Explorer.EXE	explorer.exe
PID 268 wrote to memory of 616	268	explorer.exe	cmd.exe
PID 268 wrote to memory of 616	268	explorer.exe	cmd.exe
PID 268 wrote to memory of 616	268	explorer.exe	cmd.exe
PID 268 wrote to memory of 616	268	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\BL01345678053567.exe
"C:\Users\Admin\AppData\Local\Temp\BL01345678053567.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:1644

C:\Users\Admin\AppData\Local\Temp\BL01345678053567.exe
"C:\Users\Admin\AppData\Local\Temp\BL01345678053567.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\BL01345678053567.exe"
3⤵
- Deletes itself
PID:616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-16-0x0000000000000000-mapping.dmp

Download
memory/268-23-0x0000000002130000-0x00000000021BF000-memory.dmp

Filesize
572KB

Download
memory/268-20-0x00000000006D0000-0x0000000000951000-memory.dmp

Filesize
2.5MB

Download
memory/268-22-0x00000000022C0000-0x00000000025C3000-memory.dmp

Filesize
3.0MB

Download
memory/268-21-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/268-18-0x0000000074811000-0x0000000074813000-memory.dmp

Filesize
8KB

Download
memory/616-19-0x0000000000000000-mapping.dmp

Download
memory/1080-14-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/1080-11-0x000000000041CF60-mapping.dmp

Download
memory/1080-13-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/1080-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1244-15-0x0000000003BF0000-0x0000000003CB5000-memory.dmp

Filesize
788KB

Download
memory/1244-24-0x0000000006550000-0x0000000006652000-memory.dmp

Filesize
1.0MB

Download
memory/1644-9-0x0000000000000000-mapping.dmp

Download
memory/1716-8-0x0000000000000000-mapping.dmp

Download
memory/1832-2-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/1832-7-0x0000000004C30000-0x0000000004C69000-memory.dmp

Filesize
228KB

Download
memory/1832-6-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/1832-5-0x0000000075DE1000-0x0000000075DE3000-memory.dmp

Filesize
8KB

Download
memory/1832-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads