xloader | de69ed8e2b3ba6de15b3f28b802725d41241e5b6d6717e522a2b53db860a1efb

General

Target

Advised Original Copy.exe
Size

116KB
MD5

c7204a082507c549863ff363ea3c087c
SHA1

aab2be6081caa29574b359933e908a47418e6e22
SHA256

de69ed8e2b3ba6de15b3f28b802725d41241e5b6d6717e522a2b53db860a1efb
SHA512

d7a0b3aa53072297d92323f262851c1e93eeab0fd74f5628c9bba803ec1452ee584ea2907e5c0ee542cb36997e87ce2db1600e725f5847724c6678dd24b8476d

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.innovativevan.com/i8be/

Decoy

cdymjim.icu

globalmilitaryaircraft.com

slusheestore.com

freepdfconvert.net

itadsweden.com

legenddocs.com

metholyptus.com

966cm.com

mobilitygloves-protect.com

travaze.net

go-kalisa.com

believehavefaith.com

nywebhost.com

semitsol.com

wowyuu.net

cochesb2b.com

gobesttobuy.com

senmec23.com

bmsgw.com

newazenterprise.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1272-70-0x0000000000401000-0x0000000000541000-memory.dmp	xloader
behavioral1/memory/960-76-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Advised Original Copy.exeAdvised Original Copy.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Advised Original Copy.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Advised Original Copy.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1504 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Advised Original Copy.exeAdvised Original Copy.exe

pid process

1688 Advised Original Copy.exe
1272 Advised Original Copy.exe
1272 Advised Original Copy.exe

pid	process
1504	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Advised Original Copy.exeAdvised Original Copy.exeNETSTAT.EXE

description	pid	process	target process
PID 1688 set thread context of 1272	1688	Advised Original Copy.exe	Advised Original Copy.exe
PID 1272 set thread context of 1208	1272	Advised Original Copy.exe	Explorer.EXE
PID 960 set thread context of 1208	960	NETSTAT.EXE	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

Advised Original Copy.exe

description ioc process

File opened for modification C:\Windows\win.ini Advised Original Copy.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

960 NETSTAT.EXE

description	ioc	process
File opened for modification	C:\Windows\win.ini	Advised Original Copy.exe

pid	process
960	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

Advised Original Copy.exeNETSTAT.EXE

pid	process
1272	Advised Original Copy.exe
1272	Advised Original Copy.exe
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE
960	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE

pid	process
1208	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Advised Original Copy.exeAdvised Original Copy.exeNETSTAT.EXE

pid	process
1688	Advised Original Copy.exe
1272	Advised Original Copy.exe
1272	Advised Original Copy.exe
1272	Advised Original Copy.exe
960	NETSTAT.EXE
960	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Advised Original Copy.exeNETSTAT.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1272	Advised Original Copy.exe
Token: SeDebugPrivilege	960	NETSTAT.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Advised Original Copy.exe

pid process

1688 Advised Original Copy.exe

pid	process
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Advised Original Copy.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1688 wrote to memory of 1272	1688	Advised Original Copy.exe	Advised Original Copy.exe
PID 1688 wrote to memory of 1272	1688	Advised Original Copy.exe	Advised Original Copy.exe
PID 1688 wrote to memory of 1272	1688	Advised Original Copy.exe	Advised Original Copy.exe
PID 1688 wrote to memory of 1272	1688	Advised Original Copy.exe	Advised Original Copy.exe
PID 1688 wrote to memory of 1272	1688	Advised Original Copy.exe	Advised Original Copy.exe
PID 1208 wrote to memory of 960	1208	Explorer.EXE	NETSTAT.EXE
PID 1208 wrote to memory of 960	1208	Explorer.EXE	NETSTAT.EXE
PID 1208 wrote to memory of 960	1208	Explorer.EXE	NETSTAT.EXE
PID 1208 wrote to memory of 960	1208	Explorer.EXE	NETSTAT.EXE
PID 960 wrote to memory of 1504	960	NETSTAT.EXE	cmd.exe
PID 960 wrote to memory of 1504	960	NETSTAT.EXE	cmd.exe
PID 960 wrote to memory of 1504	960	NETSTAT.EXE	cmd.exe
PID 960 wrote to memory of 1504	960	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\Advised Original Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Advised Original Copy.exe"
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\Advised Original Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Advised Original Copy.exe"
3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Advised Original Copy.exe"
3⤵
- Deletes itself
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/960-74-0x0000000000000000-mapping.dmp

Download
memory/960-79-0x00000000006D0000-0x000000000075F000-memory.dmp

Filesize
572KB

Download
memory/960-77-0x0000000001FD0000-0x00000000022D3000-memory.dmp

Filesize
3.0MB

Download
memory/960-76-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/960-75-0x0000000000630000-0x0000000000639000-memory.dmp

Filesize
36KB

Download
memory/1208-73-0x0000000004CC0000-0x0000000004D91000-memory.dmp

Filesize
836KB

Download
memory/1208-80-0x0000000004F00000-0x0000000004FD1000-memory.dmp

Filesize
836KB

Download
memory/1272-72-0x000000001E720000-0x000000001E730000-memory.dmp

Filesize
64KB

Download
memory/1272-71-0x000000001E8F0000-0x000000001EBF3000-memory.dmp

Filesize
3.0MB

Download
memory/1272-70-0x0000000000401000-0x0000000000541000-memory.dmp

Filesize
1.2MB

Download
memory/1272-68-0x00000000001B0000-0x00000000002B0000-memory.dmp

Filesize
1024KB

Download
memory/1272-66-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1272-65-0x00000000004019EC-mapping.dmp

Download
memory/1504-78-0x0000000000000000-mapping.dmp

Download
memory/1688-63-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download
memory/1688-64-0x0000000075011000-0x0000000075013000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads