xloader | 48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908

General

Target

48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
Size

314KB
MD5

4a391bca07af23a8e735b4e4bba0a195
SHA1

8bd5c99ed285cb37429a7bf4a6e14012e4c04e1d
SHA256

48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908
SHA512

c46272ebd87e47186b682e4d64dfbde69aa60b7c8b4981af3accc89a943fd1d904b53bab8b87badfeace3b62e324970d85187543a5145ff8a57c982470dbdfba

Score

10^/10

xloader loader persistence rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.numbri.com/sb9r/

Decoy

greatdomainsales.com

otinca.com

paradiseinvestings.com

mygujaratjob.xyz

femmeacademy.com

thecrystaloutlets.com

tcv-group.com

beverlyjeanco.com

rxdrugrehab.com

jadrankaandco.com

latinoescort.com

boersenpodcast.com

strategicinsightltd.com

kuppers.info

stokje.com

monateki.com

merchantofsquash.com

herchanneltv.com

kloud-digital.com

yuemion.com

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\chrome.exe\","	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Nirsoft 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1936-128-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1936-129-0x000000000041D060-mapping.dmp	xloader
behavioral2/memory/1296-137-0x0000000000B60000-0x0000000000B89000-memory.dmp	xloader

Executes dropped EXE 4 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe

pid process

3308 AdvancedRun.exe
1908 AdvancedRun.exe
1096 AdvancedRun.exe
2116 AdvancedRun.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exesvchost.exe

description	pid	process	target process
PID 3876 set thread context of 1936	3876	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
PID 1936 set thread context of 3016	1936	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe	Explorer.EXE
PID 1296 set thread context of 3016	1296	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exesvchost.exe

pid	process
3308	AdvancedRun.exe
3308	AdvancedRun.exe
3308	AdvancedRun.exe
3308	AdvancedRun.exe
1908	AdvancedRun.exe
1908	AdvancedRun.exe
1908	AdvancedRun.exe
1908	AdvancedRun.exe
1096	AdvancedRun.exe
1096	AdvancedRun.exe
1096	AdvancedRun.exe
1096	AdvancedRun.exe
2116	AdvancedRun.exe
2116	AdvancedRun.exe
2116	AdvancedRun.exe
2116	AdvancedRun.exe
3876	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
3876	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
1936	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
1936	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
1936	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
1936	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe
1296	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3016 Explorer.EXE

pid	process
3016	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exesvchost.exe

pid	process
1936	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
1936	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
1936	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
1296	svchost.exe
1296	svchost.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3308	AdvancedRun.exe
Token: SeImpersonatePrivilege	3308	AdvancedRun.exe
Token: SeDebugPrivilege	1908	AdvancedRun.exe
Token: SeImpersonatePrivilege	1908	AdvancedRun.exe
Token: SeDebugPrivilege	1096	AdvancedRun.exe
Token: SeImpersonatePrivilege	1096	AdvancedRun.exe
Token: SeDebugPrivilege	2116	AdvancedRun.exe
Token: SeImpersonatePrivilege	2116	AdvancedRun.exe
Token: SeDebugPrivilege	3876	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
Token: SeDebugPrivilege	1936	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
Token: SeDebugPrivilege	1296	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3016 Explorer.EXE

pid	process
3016	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exeAdvancedRun.exeAdvancedRun.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 3876 wrote to memory of 3308	3876	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe	AdvancedRun.exe
PID 3876 wrote to memory of 3308	3876	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe	AdvancedRun.exe
PID 3876 wrote to memory of 3308	3876	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe	AdvancedRun.exe
PID 3308 wrote to memory of 1908	3308	AdvancedRun.exe	AdvancedRun.exe
PID 3308 wrote to memory of 1908	3308	AdvancedRun.exe	AdvancedRun.exe
PID 3308 wrote to memory of 1908	3308	AdvancedRun.exe	AdvancedRun.exe
PID 3876 wrote to memory of 1096	3876	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe	AdvancedRun.exe
PID 3876 wrote to memory of 1096	3876	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe	AdvancedRun.exe
PID 3876 wrote to memory of 1096	3876	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe	AdvancedRun.exe
PID 1096 wrote to memory of 2116	1096	AdvancedRun.exe	AdvancedRun.exe
PID 1096 wrote to memory of 2116	1096	AdvancedRun.exe	AdvancedRun.exe
PID 1096 wrote to memory of 2116	1096	AdvancedRun.exe	AdvancedRun.exe
PID 3876 wrote to memory of 1936	3876	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
PID 3876 wrote to memory of 1936	3876	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
PID 3876 wrote to memory of 1936	3876	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
PID 3876 wrote to memory of 1936	3876	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
PID 3876 wrote to memory of 1936	3876	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
PID 3876 wrote to memory of 1936	3876	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe	48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
PID 3016 wrote to memory of 1296	3016	Explorer.EXE	svchost.exe
PID 3016 wrote to memory of 1296	3016	Explorer.EXE	svchost.exe
PID 3016 wrote to memory of 1296	3016	Explorer.EXE	svchost.exe
PID 1296 wrote to memory of 3792	1296	svchost.exe	cmd.exe
PID 1296 wrote to memory of 3792	1296	svchost.exe	cmd.exe
PID 1296 wrote to memory of 3792	1296	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
"C:\Users\Admin\AppData\Local\Temp\48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe"
2⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3876

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3308
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 1096
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Users\Admin\AppData\Local\Temp\48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe
"C:\Users\Admin\AppData\Local\Temp\48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1).exe"
3⤵
PID:3792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/1096-124-0x0000000000000000-mapping.dmp

Download
memory/1296-134-0x0000000000000000-mapping.dmp

Download
memory/1296-139-0x0000000003090000-0x0000000003120000-memory.dmp

Filesize
576KB

Download
memory/1296-138-0x0000000003820000-0x0000000003B40000-memory.dmp

Filesize
3.1MB

Download
memory/1296-137-0x0000000000B60000-0x0000000000B89000-memory.dmp

Filesize
164KB

Download
memory/1296-136-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/1908-122-0x0000000000000000-mapping.dmp

Download
memory/1936-132-0x0000000001120000-0x0000000001131000-memory.dmp

Filesize
68KB

Download
memory/1936-128-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1936-129-0x000000000041D060-mapping.dmp

Download
memory/1936-131-0x0000000001160000-0x0000000001480000-memory.dmp

Filesize
3.1MB

Download
memory/2116-126-0x0000000000000000-mapping.dmp

Download
memory/3016-133-0x0000000006150000-0x000000000620C000-memory.dmp

Filesize
752KB

Download
memory/3016-140-0x0000000005EE0000-0x0000000006062000-memory.dmp

Filesize
1.5MB

Download
memory/3308-119-0x0000000000000000-mapping.dmp

Download
memory/3792-135-0x0000000000000000-mapping.dmp

Download
memory/3876-114-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/3876-116-0x0000000000C20000-0x0000000000C22000-memory.dmp

Filesize
8KB

Download
memory/3876-117-0x0000000002620000-0x000000000265E000-memory.dmp

Filesize
248KB

Download
memory/3876-118-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads