xloader | acee640096f7e141ca83e9640c50a69b378059dd92a786c2374d97848da7cd49

General

Target

12042021493876783,xlsx.exe
Size

761KB
MD5

cd20bbd3e19a80fa77317cd2c42facdd
SHA1

41f9e2ee597df731ccd379c7e2a393fbafdbf6c0
SHA256

f2a1b48f82208d3d1bf4e613fd7c6a16f63c96ebb2c31ed502ec67cb6768b2f6
SHA512

4dd51b8d788bfaf6428b3b6336272d3ac5660d52d0efcda28bc0641ddf9d65b74c4700e6922b97a63e8edc82fd4b3e4e35f374b71251f205aefbe040d6ff2995

Score

10^/10

xloader loader persistence rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.werealestatephotography.com/hw6d/

Decoy

medicare101now.com

danahillathletics.com

realjobexpert.com

boulderhalle-hamburg.com

idoweddinghair.com

awdcompanies.com

thevillaflora.com

neutrasystems.com

allwest-originals.com

designtehengsg.com

thenewyorker.computer

ladybugtubs.com

silina-beauty24.com

mifangtu.com

fashionbranddeveloper.com

istanbulhookah.com

askyoyo.com

osaka-computer.net

conegenie.com

agteless.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1880-62-0x0000000000000000-mapping.dmp	xloader
behavioral1/memory/1880-74-0x0000000010410000-0x0000000010439000-memory.dmp	xloader
behavioral1/memory/844-83-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

Netplwiz.exeNetplwiz.exe

pid process

1140 Netplwiz.exe
1640 Netplwiz.exe

pid	process
1140	Netplwiz.exe
1640	Netplwiz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

12042021493876783,xlsx.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dhiuyy = "C:\\Users\\Public\\Libraries\\yyuihD.url"	12042021493876783,xlsx.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

dialer.exemsdt.exe

description	pid	process	target process
PID 1880 set thread context of 1200	1880	dialer.exe	Explorer.EXE
PID 844 set thread context of 1200	844	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

dialer.exemsdt.exe

pid	process
1880	dialer.exe
1880	dialer.exe
844	msdt.exe
844	msdt.exe
844	msdt.exe
844	msdt.exe
844	msdt.exe
844	msdt.exe
844	msdt.exe
844	msdt.exe
844	msdt.exe
844	msdt.exe
844	msdt.exe
844	msdt.exe
844	msdt.exe
844	msdt.exe
844	msdt.exe
844	msdt.exe
844	msdt.exe
844	msdt.exe
844	msdt.exe
844	msdt.exe
844	msdt.exe
844	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

dialer.exemsdt.exe

pid process

1880 dialer.exe
1880 dialer.exe
1880 dialer.exe
844 msdt.exe
844 msdt.exe

pid	process
1200	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

dialer.exeExplorer.EXEmsdt.exe

description	pid	process
Token: SeDebugPrivilege	1880	dialer.exe
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeDebugPrivilege	844	msdt.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE

pid	process
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE

pid	process
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

12042021493876783,xlsx.execmd.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 980 wrote to memory of 1880	980	12042021493876783,xlsx.exe	dialer.exe
PID 980 wrote to memory of 1880	980	12042021493876783,xlsx.exe	dialer.exe
PID 980 wrote to memory of 1880	980	12042021493876783,xlsx.exe	dialer.exe
PID 980 wrote to memory of 1880	980	12042021493876783,xlsx.exe	dialer.exe
PID 980 wrote to memory of 1880	980	12042021493876783,xlsx.exe	dialer.exe
PID 980 wrote to memory of 1880	980	12042021493876783,xlsx.exe	dialer.exe
PID 980 wrote to memory of 1880	980	12042021493876783,xlsx.exe	dialer.exe
PID 980 wrote to memory of 628	980	12042021493876783,xlsx.exe	cmd.exe
PID 980 wrote to memory of 628	980	12042021493876783,xlsx.exe	cmd.exe
PID 980 wrote to memory of 628	980	12042021493876783,xlsx.exe	cmd.exe
PID 980 wrote to memory of 628	980	12042021493876783,xlsx.exe	cmd.exe
PID 628 wrote to memory of 1696	628	cmd.exe	cmd.exe
PID 628 wrote to memory of 1696	628	cmd.exe	cmd.exe
PID 628 wrote to memory of 1696	628	cmd.exe	cmd.exe
PID 628 wrote to memory of 1696	628	cmd.exe	cmd.exe
PID 1200 wrote to memory of 844	1200	Explorer.EXE	msdt.exe
PID 1200 wrote to memory of 844	1200	Explorer.EXE	msdt.exe
PID 1200 wrote to memory of 844	1200	Explorer.EXE	msdt.exe
PID 1200 wrote to memory of 844	1200	Explorer.EXE	msdt.exe
PID 844 wrote to memory of 1376	844	msdt.exe	cmd.exe
PID 844 wrote to memory of 1376	844	msdt.exe	cmd.exe
PID 844 wrote to memory of 1376	844	msdt.exe	cmd.exe
PID 844 wrote to memory of 1376	844	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\12042021493876783,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\12042021493876783,xlsx.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\dialer.exe
C:\Windows\System32\dialer.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\stt.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\PXOR.bat
4⤵
PID:1696

C:\Windows \System32\Netplwiz.exe
"C:\Windows \System32\Netplwiz.exe"
5⤵
- Executes dropped EXE
PID:1140

C:\Windows \System32\Netplwiz.exe
"C:\Windows \System32\Netplwiz.exe"
5⤵
- Executes dropped EXE
PID:1640

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\dialer.exe"
3⤵
PID:1376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\NETUTILS.dll
MD5
39507d772c63ca496a25a14a8b5d14b2

SHA1
5b603f5c11eb9ab4313694315b4d4894ff4641d4

SHA256
36d1fa474cd8271f9b74b9481025614b6ff309f767f69d9f1ff3960c7205ad12

SHA512
0c740fd7b6d67d9938b0d8e1ea7d6c41910dd6d0b85b4ec8b6015ff8c0c73798dee01f01da0b5b0c07038663aca7945faca0e2b5afc1cb751aaba7567d332f5f

Download Submit
C:\Users\Public\Netplwiz.exe
MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
C:\Users\Public\PXOR.bat
MD5
0d8aef656413642f55e0902cc5df5e6f

SHA1
73ec56d08bd9b3c45d55c97bd1c1286b77c8ff49

SHA256
670f94b92f45bc2f3f44a80c7f3021f874aa16fde38ed7d7f3ebed13ae09fa11

SHA512
efe690b1bcf06e16be469622b45c98b5dc1f1e06410cbf7e7dccb2975524c4d6bc7e23de9a129d50d73cd924f02e23f925555894f2c7da1064dcc57151f50876

Download Submit
C:\Users\Public\stt.bat
MD5
8a850253c31df9a7e1c00c80df2630d5

SHA1
e3da74081b027a3b591488b28da22742bcfe8495

SHA256
8fdeba3ec903bde700342083d16f72452366aa0b1b30d0e58dee0af74cebfa35

SHA512
30510bdc34680a0865a0811d9be29dec91c74717feccd58c9b4d88e77be9e5d13a539806a1b2901aff595b2fe2cc45926b69ed42e899d2dd2913c78a732e84d1

Download Submit
C:\Windows \System32\Netplwiz.exe
MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
C:\Windows \System32\Netplwiz.exe
MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
memory/628-63-0x0000000000000000-mapping.dmp

Download
memory/844-85-0x0000000000820000-0x00000000008AF000-memory.dmp

Filesize
572KB

Download
memory/844-84-0x00000000021F0000-0x00000000024F3000-memory.dmp

Filesize
3.0MB

Download
memory/844-83-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/844-82-0x0000000000140000-0x0000000000234000-memory.dmp

Filesize
976KB

Download
memory/844-79-0x0000000000000000-mapping.dmp

Download
memory/980-61-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/980-60-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1200-78-0x0000000005FD0000-0x0000000006171000-memory.dmp

Filesize
1.6MB

Download
memory/1200-86-0x0000000006180000-0x00000000062D9000-memory.dmp

Filesize
1.3MB

Download
memory/1376-81-0x0000000000000000-mapping.dmp

Download
memory/1696-75-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1696-66-0x0000000000000000-mapping.dmp

Download
memory/1880-73-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1880-74-0x0000000010410000-0x0000000010439000-memory.dmp

Filesize
164KB

Download
memory/1880-76-0x0000000000C80000-0x0000000000F83000-memory.dmp

Filesize
3.0MB

Download
memory/1880-77-0x0000000000210000-0x0000000000220000-memory.dmp

Filesize
64KB

Download
memory/1880-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads