xloader | 3a96891372a8578aab18d70a377d68a795ab2f92c4c97c5f0986d7f1006490d1

General

Target

PO7321.exe
Size

562KB
MD5

774eca4068dce6d3db505c49af0a516e
SHA1

7708d1ed2bb3166bf74d0e92ac95bb8e379e1cf4
SHA256

3a96891372a8578aab18d70a377d68a795ab2f92c4c97c5f0986d7f1006490d1
SHA512

b9534efd5b6d87f87cc5a83f3e8a8875600f059bcfef60daa5526908cb0414d291682953cae75fab6c48805cfa9f5711f2b6dac04b299741a78a71f82b3954e0

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.013y.com/pnqr/

Decoy

bullexch9.com

hiiidesigns.com

yosapark-gakuenmae.com

movementinspires.com

orlandas.com

flowga.world

opende.info

jiconic.com

selviclothingco.com

herbalmedicineresearch.com

contex33.xyz

riord.com

alchemistslibrary.com

ecalyte.com

tutu119.com

61ue00.com

properwayllc.com

tamitoe.com

adacompliantsoftware.com

deliabe.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1180-6-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/868-12-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

796 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

PO7321.exe

pid process

1884 PO7321.exe

pid	process
796	cmd.exe

pid	process
1884	PO7321.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO7321.exePO7321.exesvchost.exe

description	pid	process	target process
PID 1884 set thread context of 1180	1884	PO7321.exe	PO7321.exe
PID 1180 set thread context of 1268	1180	PO7321.exe	Explorer.EXE
PID 868 set thread context of 1268	868	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

PO7321.exesvchost.exe

pid	process
1180	PO7321.exe
1180	PO7321.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe
868	svchost.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

PO7321.exePO7321.exesvchost.exe

pid process

1884 PO7321.exe
1180 PO7321.exe
1180 PO7321.exe
1180 PO7321.exe
868 svchost.exe
868 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO7321.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1180 PO7321.exe
Token: SeDebugPrivilege 868 svchost.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE

pid	process
1884	PO7321.exe
1180	PO7321.exe
1180	PO7321.exe
1180	PO7321.exe
868	svchost.exe
868	svchost.exe

description	pid	process
Token: SeDebugPrivilege	1180	PO7321.exe
Token: SeDebugPrivilege	868	svchost.exe

pid	process
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

PO7321.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 1884 wrote to memory of 1180	1884	PO7321.exe	PO7321.exe
PID 1884 wrote to memory of 1180	1884	PO7321.exe	PO7321.exe
PID 1884 wrote to memory of 1180	1884	PO7321.exe	PO7321.exe
PID 1884 wrote to memory of 1180	1884	PO7321.exe	PO7321.exe
PID 1884 wrote to memory of 1180	1884	PO7321.exe	PO7321.exe
PID 1268 wrote to memory of 868	1268	Explorer.EXE	svchost.exe
PID 1268 wrote to memory of 868	1268	Explorer.EXE	svchost.exe
PID 1268 wrote to memory of 868	1268	Explorer.EXE	svchost.exe
PID 1268 wrote to memory of 868	1268	Explorer.EXE	svchost.exe
PID 868 wrote to memory of 796	868	svchost.exe	cmd.exe
PID 868 wrote to memory of 796	868	svchost.exe	cmd.exe
PID 868 wrote to memory of 796	868	svchost.exe	cmd.exe
PID 868 wrote to memory of 796	868	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\PO7321.exe
"C:\Users\Admin\AppData\Local\Temp\PO7321.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Local\Temp\PO7321.exe
"C:\Users\Admin\AppData\Local\Temp\PO7321.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO7321.exe"
3⤵
- Deletes itself
PID:796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsi5533.tmp\57cmo2.dll
MD5
7418f8dc5479eeb371264cf36b4cf551

SHA1
40401572084a68334c508d98bf10aaa5a199bdc5

SHA256
c5adce72a02aafb28dab7c360b1f5555bdedfe1d9d97bda574b6d9d29377bda0

SHA512
95d76945159a4e25440281d4c361f3672798c0129aa0cdc18f187e98df90e499d30da80c6c9d8e3ae5cbebc9b98084b8cf10e3716f88e042140e07c80ca7406b

Download Submit
memory/440-18-0x000007FEF6F80000-0x000007FEF71FA000-memory.dmp

Filesize
2.5MB

Download
memory/796-14-0x0000000000000000-mapping.dmp

Download
memory/868-10-0x0000000000000000-mapping.dmp

Download
memory/868-12-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/868-11-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

Filesize
32KB

Download
memory/868-13-0x00000000007A0000-0x0000000000AA3000-memory.dmp

Filesize
3.0MB

Download
memory/868-15-0x0000000000580000-0x000000000060F000-memory.dmp

Filesize
572KB

Download
memory/1180-6-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1180-7-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1180-9-0x0000000000890000-0x0000000000B93000-memory.dmp

Filesize
3.0MB

Download
memory/1180-4-0x000000000041D020-mapping.dmp

Download
memory/1268-8-0x0000000003C10000-0x0000000003CD2000-memory.dmp

Filesize
776KB

Download
memory/1268-16-0x0000000004D90000-0x0000000004EBB000-memory.dmp

Filesize
1.2MB

Download
memory/1884-2-0x0000000074D11000-0x0000000074D13000-memory.dmp

Filesize
8KB

Download
memory/1884-5-0x0000000000950000-0x0000000000952000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads