xloader | 069a900aaa6ab5e4b9279cf5bd47e7123c37787f87ac58d6e64383685371ba52

General

Target

SWIFT 00395_IMG.exe
Size

13.4MB
MD5

f19e6012ff248b9b380bb420080258ce
SHA1

317ee43a8116aae39f3de3279620ecff4ac05b2c
SHA256

069a900aaa6ab5e4b9279cf5bd47e7123c37787f87ac58d6e64383685371ba52
SHA512

ad555d5a6bbd753825fba4a4665b4774d88f4011f3c7c6a2c0084fd40e59d66d2880b4a390cc8a172e51b67f8198d0fa481a981c916025f1642ace15c5ab1cdf

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.seroungift.com/bbqo/

Decoy

theinfluenstar.com

1800quilts.com

sonsuz-muzik.com

manilowsmodems.com

amwajcare.com

eam.email

cscosmos.com

tierraovens.com

goimtv.com

checks4d.com

beijig.com

szzyhjj.com

huanchunjx.com

catqq.one

vendasuascartas.com

cannatends.com

cytotecobatpenggugur.com

centralvalleypartners4youth.com

entreforma.com

azhathai.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2680-127-0x0000000002D70000-0x0000000002D98000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

SWIFT 00395_IMG.exe

pid process

3176 SWIFT 00395_IMG.exe

pid	process
3176	SWIFT 00395_IMG.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

SWIFT 00395_IMG.exesvchost.exewscript.exe

description	pid	process	target process
PID 3176 set thread context of 356	3176	SWIFT 00395_IMG.exe	svchost.exe
PID 356 set thread context of 2716	356	svchost.exe	Explorer.EXE
PID 356 set thread context of 2716	356	svchost.exe	Explorer.EXE
PID 2680 set thread context of 2716	2680	wscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

svchost.exewscript.exe

pid	process
356	svchost.exe
356	svchost.exe
356	svchost.exe
356	svchost.exe
356	svchost.exe
356	svchost.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe
2680	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2716 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

SWIFT 00395_IMG.exesvchost.exewscript.exe

pid process

3176 SWIFT 00395_IMG.exe
3176 SWIFT 00395_IMG.exe
356 svchost.exe
356 svchost.exe
356 svchost.exe
356 svchost.exe
2680 wscript.exe
2680 wscript.exe

pid	process
2716	Explorer.EXE

pid	process
3176	SWIFT 00395_IMG.exe
3176	SWIFT 00395_IMG.exe
356	svchost.exe
356	svchost.exe
356	svchost.exe
356	svchost.exe
2680	wscript.exe
2680	wscript.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exeExplorer.EXEwscript.exe

description	pid	process
Token: SeDebugPrivilege	356	svchost.exe
Token: SeShutdownPrivilege	2716	Explorer.EXE
Token: SeCreatePagefilePrivilege	2716	Explorer.EXE
Token: SeShutdownPrivilege	2716	Explorer.EXE
Token: SeCreatePagefilePrivilege	2716	Explorer.EXE
Token: SeDebugPrivilege	2680	wscript.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2716 Explorer.EXE

pid	process
2716	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

SWIFT 00395_IMG.exesvchost.exewscript.exe

description	pid	process	target process
PID 3176 wrote to memory of 356	3176	SWIFT 00395_IMG.exe	svchost.exe
PID 3176 wrote to memory of 356	3176	SWIFT 00395_IMG.exe	svchost.exe
PID 3176 wrote to memory of 356	3176	SWIFT 00395_IMG.exe	svchost.exe
PID 3176 wrote to memory of 356	3176	SWIFT 00395_IMG.exe	svchost.exe
PID 356 wrote to memory of 2680	356	svchost.exe	wscript.exe
PID 356 wrote to memory of 2680	356	svchost.exe	wscript.exe
PID 356 wrote to memory of 2680	356	svchost.exe	wscript.exe
PID 2680 wrote to memory of 4092	2680	wscript.exe	cmd.exe
PID 2680 wrote to memory of 4092	2680	wscript.exe	cmd.exe
PID 2680 wrote to memory of 4092	2680	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2716

C:\Users\Admin\AppData\Local\Temp\SWIFT 00395_IMG.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT 00395_IMG.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT 00395_IMG.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:356

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
5⤵
PID:4092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsiE02.tmp\3bypcf8qb.dll
MD5
71d2d0b499c40f82a6cdd1ecdc4df303

SHA1
ae42e7a68b3affc5f56238fc46fb2faaad75b890

SHA256
0c3c61ba24bb070c77191b1134e337148ea90e9814083ffb84edf58ee497a2ef

SHA512
c64e28ca27d98e99e1132f59aa2bc8141cd49ab6ece0b9bf0539eca059eef962923a4890355482f1d22aa5902ff4ceff0da6dc3737a10a9050dda582cdbff67e

Download Submit
memory/356-122-0x0000000002700000-0x000000000284A000-memory.dmp

Filesize
1.3MB

Download
memory/356-116-0x000000000024D040-mapping.dmp

Download
memory/356-119-0x0000000002E20000-0x0000000003140000-memory.dmp

Filesize
3.1MB

Download
memory/356-120-0x0000000002700000-0x000000000284A000-memory.dmp

Filesize
1.3MB

Download
memory/2680-126-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/2680-124-0x0000000000000000-mapping.dmp

Download
memory/2680-127-0x0000000002D70000-0x0000000002D98000-memory.dmp

Filesize
160KB

Download
memory/2680-128-0x0000000004A70000-0x0000000004D90000-memory.dmp

Filesize
3.1MB

Download
memory/2680-129-0x00000000047D0000-0x000000000485F000-memory.dmp

Filesize
572KB

Download
memory/2716-123-0x0000000005FE0000-0x000000000612D000-memory.dmp

Filesize
1.3MB

Download
memory/2716-121-0x0000000002CA0000-0x0000000002D70000-memory.dmp

Filesize
832KB

Download
memory/2716-130-0x0000000002A70000-0x0000000002B41000-memory.dmp

Filesize
836KB

Download
memory/3176-115-0x0000000002230000-0x0000000002253000-memory.dmp

Filesize
140KB

Download
memory/4092-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads