xloader | 414d26c286eeeda12cc3705aa3ed2ae06e901dc09795434e6abe4389f31c1e8e

General

Target

RFQ_R4100131210.pdf.exe
Size

624KB
MD5

c27bd99ca5f928a3bec7a716bd27d289
SHA1

f6ac29d30ec60cd1429bc2e31c85c8eda0bc871e
SHA256

414d26c286eeeda12cc3705aa3ed2ae06e901dc09795434e6abe4389f31c1e8e
SHA512

6cddff9fe566341de45813809e3435225fbdd75ecc73adfd630e832cb55444841a5c7bb9ec0c401d7f12eaa658032479405811bb2b7389527b14e6330327af7a

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.huamxvcyq.icu/aepn/

Decoy

noesos.com

partsus.xyz

manageordercentersupp.com

wickedwallart.com

hike4cash.com

theviragocircle.com

followthesharks.com

paradisevalleywines.com

unmetrolimpio.com

eurocarsnj.com

alvaroeliseo.com

bfc8.xyz

oldcourts.com

bkpef.info

mammately.com

agentcharles.com

wwwmichiganbulb.com

pensolid.info

hibiscushealthcare.com

mwanakbk.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2260-126-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2260-127-0x000000000041D070-mapping.dmp	xloader
behavioral2/memory/584-134-0x0000000003000000-0x0000000003029000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

RFQ_R4100131210.pdf.exeRegSvcs.exeNETSTAT.EXE

description	pid	process	target process
PID 3904 set thread context of 2260	3904	RFQ_R4100131210.pdf.exe	RegSvcs.exe
PID 2260 set thread context of 388	2260	RegSvcs.exe	Explorer.EXE
PID 584 set thread context of 388	584	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

584 NETSTAT.EXE

pid	process
584	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

RFQ_R4100131210.pdf.exeRegSvcs.exeNETSTAT.EXE

pid	process
3904	RFQ_R4100131210.pdf.exe
3904	RFQ_R4100131210.pdf.exe
3904	RFQ_R4100131210.pdf.exe
2260	RegSvcs.exe
2260	RegSvcs.exe
2260	RegSvcs.exe
2260	RegSvcs.exe
584	NETSTAT.EXE
584	NETSTAT.EXE
584	NETSTAT.EXE
584	NETSTAT.EXE
584	NETSTAT.EXE
584	NETSTAT.EXE
584	NETSTAT.EXE
584	NETSTAT.EXE
584	NETSTAT.EXE
584	NETSTAT.EXE
584	NETSTAT.EXE
584	NETSTAT.EXE
584	NETSTAT.EXE
584	NETSTAT.EXE
584	NETSTAT.EXE
584	NETSTAT.EXE
584	NETSTAT.EXE
584	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exeNETSTAT.EXE

pid process

2260 RegSvcs.exe
2260 RegSvcs.exe
2260 RegSvcs.exe
584 NETSTAT.EXE
584 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RFQ_R4100131210.pdf.exeRegSvcs.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 3904 RFQ_R4100131210.pdf.exe
Token: SeDebugPrivilege 2260 RegSvcs.exe
Token: SeDebugPrivilege 584 NETSTAT.EXE

pid	process
2260	RegSvcs.exe
2260	RegSvcs.exe
2260	RegSvcs.exe
584	NETSTAT.EXE
584	NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	3904	RFQ_R4100131210.pdf.exe
Token: SeDebugPrivilege	2260	RegSvcs.exe
Token: SeDebugPrivilege	584	NETSTAT.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

RFQ_R4100131210.pdf.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 3904 wrote to memory of 2260	3904	RFQ_R4100131210.pdf.exe	RegSvcs.exe
PID 3904 wrote to memory of 2260	3904	RFQ_R4100131210.pdf.exe	RegSvcs.exe
PID 3904 wrote to memory of 2260	3904	RFQ_R4100131210.pdf.exe	RegSvcs.exe
PID 3904 wrote to memory of 2260	3904	RFQ_R4100131210.pdf.exe	RegSvcs.exe
PID 3904 wrote to memory of 2260	3904	RFQ_R4100131210.pdf.exe	RegSvcs.exe
PID 3904 wrote to memory of 2260	3904	RFQ_R4100131210.pdf.exe	RegSvcs.exe
PID 388 wrote to memory of 584	388	Explorer.EXE	NETSTAT.EXE
PID 388 wrote to memory of 584	388	Explorer.EXE	NETSTAT.EXE
PID 388 wrote to memory of 584	388	Explorer.EXE	NETSTAT.EXE
PID 584 wrote to memory of 3808	584	NETSTAT.EXE	cmd.exe
PID 584 wrote to memory of 3808	584	NETSTAT.EXE	cmd.exe
PID 584 wrote to memory of 3808	584	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Users\Admin\AppData\Local\Temp\RFQ_R4100131210.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_R4100131210.pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:3808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/388-138-0x0000000006490000-0x00000000065CE000-memory.dmp

Filesize
1.2MB

Download
memory/388-131-0x0000000005FE0000-0x0000000006136000-memory.dmp

Filesize
1.3MB

Download
memory/584-137-0x0000000003560000-0x00000000035F0000-memory.dmp

Filesize
576KB

Download
memory/584-136-0x00000000031B0000-0x00000000034D0000-memory.dmp

Filesize
3.1MB

Download
memory/584-133-0x0000000000870000-0x000000000087B000-memory.dmp

Filesize
44KB

Download
memory/584-134-0x0000000003000000-0x0000000003029000-memory.dmp

Filesize
164KB

Download
memory/584-132-0x0000000000000000-mapping.dmp

Download
memory/2260-127-0x000000000041D070-mapping.dmp

Download
memory/2260-130-0x00000000012B0000-0x00000000012C1000-memory.dmp

Filesize
68KB

Download
memory/2260-129-0x00000000015E0000-0x0000000001900000-memory.dmp

Filesize
3.1MB

Download
memory/2260-126-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3808-135-0x0000000000000000-mapping.dmp

Download
memory/3904-120-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/3904-125-0x00000000013B0000-0x00000000013EE000-memory.dmp

Filesize
248KB

Download
memory/3904-124-0x00000000061F0000-0x0000000006272000-memory.dmp

Filesize
520KB

Download
memory/3904-122-0x0000000005260000-0x00000000052FC000-memory.dmp

Filesize
624KB

Download
memory/3904-123-0x000000007F3F0000-0x000000007F3F1000-memory.dmp

Filesize
4KB

Download
memory/3904-121-0x0000000005860000-0x0000000005869000-memory.dmp

Filesize
36KB

Download
memory/3904-114-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/3904-119-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/3904-118-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/3904-117-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/3904-116-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads