xloader | a09c8246d5ddd3d7b444c2b89ae0b486b767e30d7340efb2d92e07ab7a806109

General

Target

BANKINV280308VBSINO.exe
Size

845KB
MD5

6fe314b5b083a64d830a528ba0568d70
SHA1

6875a0afb8f02b27ac0b1aca81571bdb8e427f65
SHA256

a09c8246d5ddd3d7b444c2b89ae0b486b767e30d7340efb2d92e07ab7a806109
SHA512

ff7d760d603890f3382cda0ab9becfceff2783011a4fcec28b4655892126e5c14619729238cfbda63110d14a3f5cf346258bc12ddc97bb9267ce864fa1584aa9

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.trendyheld.com/edbs/

Decoy

ehealthak.com

kingdavidtiferetshop.com

allincursive.com

quickshop.xyz

hallfaxgroupuk.online

barebeautybrand.com

verificationpays.com

2k20-aide.com

cameralogs.com

blackdotdesignco.com

thepredictable360.com

huangguanlin600270.com

hounslowkebab.com

kuppers.info

ohjoephoto.com

bhavyaarora.com

thecoolprojector.com

abelprocess.com

856379765.xyz

growth.run

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1564-68-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1564-69-0x000000000041D030-mapping.dmp	xloader
behavioral1/memory/536-78-0x00000000000C0000-0x00000000000E8000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

Processes:

BANKINV280308VBSINO.exeRegSvcs.exewlanext.exe

description	pid	process	target process
PID 1684 set thread context of 1564	1684	BANKINV280308VBSINO.exe	RegSvcs.exe
PID 1564 set thread context of 1228	1564	RegSvcs.exe	Explorer.EXE
PID 1564 set thread context of 1228	1564	RegSvcs.exe	Explorer.EXE
PID 536 set thread context of 1228	536	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

852 schtasks.exe

pid	process
852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

BANKINV280308VBSINO.exeRegSvcs.exewlanext.exe

pid	process
1684	BANKINV280308VBSINO.exe
1684	BANKINV280308VBSINO.exe
1684	BANKINV280308VBSINO.exe
1564	RegSvcs.exe
1564	RegSvcs.exe
1564	RegSvcs.exe
536	wlanext.exe
536	wlanext.exe
536	wlanext.exe
536	wlanext.exe
536	wlanext.exe
536	wlanext.exe
536	wlanext.exe
536	wlanext.exe
536	wlanext.exe
536	wlanext.exe
536	wlanext.exe
536	wlanext.exe
536	wlanext.exe
536	wlanext.exe
536	wlanext.exe
536	wlanext.exe
536	wlanext.exe
536	wlanext.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegSvcs.exewlanext.exe

pid process

1564 RegSvcs.exe
1564 RegSvcs.exe
1564 RegSvcs.exe
1564 RegSvcs.exe
536 wlanext.exe
536 wlanext.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

BANKINV280308VBSINO.exeRegSvcs.exewlanext.exe

description pid process

Token: SeDebugPrivilege 1684 BANKINV280308VBSINO.exe
Token: SeDebugPrivilege 1564 RegSvcs.exe
Token: SeDebugPrivilege 536 wlanext.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE

pid	process
1564	RegSvcs.exe
1564	RegSvcs.exe
1564	RegSvcs.exe
1564	RegSvcs.exe
536	wlanext.exe
536	wlanext.exe

description	pid	process
Token: SeDebugPrivilege	1684	BANKINV280308VBSINO.exe
Token: SeDebugPrivilege	1564	RegSvcs.exe
Token: SeDebugPrivilege	536	wlanext.exe

pid	process
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE

pid	process
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

BANKINV280308VBSINO.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 1684 wrote to memory of 852	1684	BANKINV280308VBSINO.exe	schtasks.exe
PID 1684 wrote to memory of 852	1684	BANKINV280308VBSINO.exe	schtasks.exe
PID 1684 wrote to memory of 852	1684	BANKINV280308VBSINO.exe	schtasks.exe
PID 1684 wrote to memory of 852	1684	BANKINV280308VBSINO.exe	schtasks.exe
PID 1684 wrote to memory of 1504	1684	BANKINV280308VBSINO.exe	RegSvcs.exe
PID 1684 wrote to memory of 1504	1684	BANKINV280308VBSINO.exe	RegSvcs.exe
PID 1684 wrote to memory of 1504	1684	BANKINV280308VBSINO.exe	RegSvcs.exe
PID 1684 wrote to memory of 1504	1684	BANKINV280308VBSINO.exe	RegSvcs.exe
PID 1684 wrote to memory of 1504	1684	BANKINV280308VBSINO.exe	RegSvcs.exe
PID 1684 wrote to memory of 1504	1684	BANKINV280308VBSINO.exe	RegSvcs.exe
PID 1684 wrote to memory of 1504	1684	BANKINV280308VBSINO.exe	RegSvcs.exe
PID 1684 wrote to memory of 1564	1684	BANKINV280308VBSINO.exe	RegSvcs.exe
PID 1684 wrote to memory of 1564	1684	BANKINV280308VBSINO.exe	RegSvcs.exe
PID 1684 wrote to memory of 1564	1684	BANKINV280308VBSINO.exe	RegSvcs.exe
PID 1684 wrote to memory of 1564	1684	BANKINV280308VBSINO.exe	RegSvcs.exe
PID 1684 wrote to memory of 1564	1684	BANKINV280308VBSINO.exe	RegSvcs.exe
PID 1684 wrote to memory of 1564	1684	BANKINV280308VBSINO.exe	RegSvcs.exe
PID 1684 wrote to memory of 1564	1684	BANKINV280308VBSINO.exe	RegSvcs.exe
PID 1684 wrote to memory of 1564	1684	BANKINV280308VBSINO.exe	RegSvcs.exe
PID 1684 wrote to memory of 1564	1684	BANKINV280308VBSINO.exe	RegSvcs.exe
PID 1684 wrote to memory of 1564	1684	BANKINV280308VBSINO.exe	RegSvcs.exe
PID 1228 wrote to memory of 536	1228	Explorer.EXE	wlanext.exe
PID 1228 wrote to memory of 536	1228	Explorer.EXE	wlanext.exe
PID 1228 wrote to memory of 536	1228	Explorer.EXE	wlanext.exe
PID 1228 wrote to memory of 536	1228	Explorer.EXE	wlanext.exe
PID 536 wrote to memory of 548	536	wlanext.exe	cmd.exe
PID 536 wrote to memory of 548	536	wlanext.exe	cmd.exe
PID 536 wrote to memory of 548	536	wlanext.exe	cmd.exe
PID 536 wrote to memory of 548	536	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\BANKINV280308VBSINO.exe
"C:\Users\Admin\AppData\Local\Temp\BANKINV280308VBSINO.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SxbGfivF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2ECE.tmp"
3⤵
- Creates scheduled task(s)
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2ECE.tmp
MD5
40eaa4d0429ab80fe6bdf07f694e3752

SHA1
616597719c8b2bfa8b89d12897841dcdece13ad4

SHA256
a1d6d464456a6f826ec0faa8c79115fb05aa3a4526425b2e3fb48175819e3151

SHA512
379dbe69480290ecf7e60e7da13eae1e790667f2d239128723506defab593c2d032a6866c63f2a9f767a7c90bc1c0a584187b0b0bc9bf092ce2e6ad9969de11d

Download Submit
memory/536-76-0x0000000000000000-mapping.dmp

Download
memory/536-81-0x00000000007F0000-0x000000000087F000-memory.dmp

Filesize
572KB

Download
memory/536-80-0x0000000001FD0000-0x00000000022D3000-memory.dmp

Filesize
3.0MB

Download
memory/536-77-0x0000000000A20000-0x0000000000A36000-memory.dmp

Filesize
88KB

Download
memory/536-78-0x00000000000C0000-0x00000000000E8000-memory.dmp

Filesize
160KB

Download
memory/548-79-0x0000000000000000-mapping.dmp

Download
memory/852-66-0x0000000000000000-mapping.dmp

Download
memory/1228-73-0x0000000004220000-0x00000000042F1000-memory.dmp

Filesize
836KB

Download
memory/1228-82-0x0000000003E90000-0x0000000003F46000-memory.dmp

Filesize
728KB

Download
memory/1228-75-0x00000000067D0000-0x0000000006953000-memory.dmp

Filesize
1.5MB

Download
memory/1564-68-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1564-74-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/1564-72-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1564-69-0x000000000041D030-mapping.dmp

Download
memory/1564-71-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download
memory/1684-60-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/1684-65-0x00000000060B0000-0x000000000612A000-memory.dmp

Filesize
488KB

Download
memory/1684-64-0x0000000008000000-0x00000000080C9000-memory.dmp

Filesize
804KB

Download
memory/1684-63-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/1684-62-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads