xloader | 069a900aaa6ab5e4b9279cf5bd47e7123c37787f87ac58d6e64383685371ba52

General

Target

SWIFT 00395_IMG.exe
Size

13.4MB
MD5

f19e6012ff248b9b380bb420080258ce
SHA1

317ee43a8116aae39f3de3279620ecff4ac05b2c
SHA256

069a900aaa6ab5e4b9279cf5bd47e7123c37787f87ac58d6e64383685371ba52
SHA512

ad555d5a6bbd753825fba4a4665b4774d88f4011f3c7c6a2c0084fd40e59d66d2880b4a390cc8a172e51b67f8198d0fa481a981c916025f1642ace15c5ab1cdf

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.seroungift.com/bbqo/

Decoy

theinfluenstar.com

1800quilts.com

sonsuz-muzik.com

manilowsmodems.com

amwajcare.com

eam.email

cscosmos.com

tierraovens.com

goimtv.com

checks4d.com

beijig.com

szzyhjj.com

huanchunjx.com

catqq.one

vendasuascartas.com

cannatends.com

cytotecobatpenggugur.com

centralvalleypartners4youth.com

entreforma.com

azhathai.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2028-64-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/2004-71-0x0000000000090000-0x00000000000B8000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

SWIFT 00395_IMG.exe

pid process

1684 SWIFT 00395_IMG.exe

pid	process
1684	SWIFT 00395_IMG.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

SWIFT 00395_IMG.exesvchost.exesvchost.exe

description	pid	process	target process
PID 1684 set thread context of 2028	1684	SWIFT 00395_IMG.exe	svchost.exe
PID 2028 set thread context of 1228	2028	svchost.exe	Explorer.EXE
PID 2004 set thread context of 1228	2004	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

svchost.exesvchost.exe

pid	process
2028	svchost.exe
2028	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

SWIFT 00395_IMG.exesvchost.exesvchost.exe

pid process

1684 SWIFT 00395_IMG.exe
2028 svchost.exe
2028 svchost.exe
2028 svchost.exe
2004 svchost.exe
2004 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2028 svchost.exe
Token: SeDebugPrivilege 2004 svchost.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE

pid	process
1228	Explorer.EXE

pid	process
1684	SWIFT 00395_IMG.exe
2028	svchost.exe
2028	svchost.exe
2028	svchost.exe
2004	svchost.exe
2004	svchost.exe

description	pid	process
Token: SeDebugPrivilege	2028	svchost.exe
Token: SeDebugPrivilege	2004	svchost.exe

pid	process
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE

pid	process
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

SWIFT 00395_IMG.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 1684 wrote to memory of 2028	1684	SWIFT 00395_IMG.exe	svchost.exe
PID 1684 wrote to memory of 2028	1684	SWIFT 00395_IMG.exe	svchost.exe
PID 1684 wrote to memory of 2028	1684	SWIFT 00395_IMG.exe	svchost.exe
PID 1684 wrote to memory of 2028	1684	SWIFT 00395_IMG.exe	svchost.exe
PID 1684 wrote to memory of 2028	1684	SWIFT 00395_IMG.exe	svchost.exe
PID 1228 wrote to memory of 2004	1228	Explorer.EXE	svchost.exe
PID 1228 wrote to memory of 2004	1228	Explorer.EXE	svchost.exe
PID 1228 wrote to memory of 2004	1228	Explorer.EXE	svchost.exe
PID 1228 wrote to memory of 2004	1228	Explorer.EXE	svchost.exe
PID 2004 wrote to memory of 848	2004	svchost.exe	cmd.exe
PID 2004 wrote to memory of 848	2004	svchost.exe	cmd.exe
PID 2004 wrote to memory of 848	2004	svchost.exe	cmd.exe
PID 2004 wrote to memory of 848	2004	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\SWIFT 00395_IMG.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT 00395_IMG.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT 00395_IMG.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
3⤵
PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nss7A02.tmp\3bypcf8qb.dll
MD5
71d2d0b499c40f82a6cdd1ecdc4df303

SHA1
ae42e7a68b3affc5f56238fc46fb2faaad75b890

SHA256
0c3c61ba24bb070c77191b1134e337148ea90e9814083ffb84edf58ee497a2ef

SHA512
c64e28ca27d98e99e1132f59aa2bc8141cd49ab6ece0b9bf0539eca059eef962923a4890355482f1d22aa5902ff4ceff0da6dc3737a10a9050dda582cdbff67e

Download Submit
memory/848-69-0x0000000000000000-mapping.dmp

Download
memory/1228-67-0x0000000004220000-0x000000000430B000-memory.dmp

Filesize
940KB

Download
memory/1228-74-0x00000000067D0000-0x0000000006958000-memory.dmp

Filesize
1.5MB

Download
memory/1684-60-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1684-62-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/2004-68-0x0000000000000000-mapping.dmp

Download
memory/2004-70-0x0000000000080000-0x0000000000088000-memory.dmp

Filesize
32KB

Download
memory/2004-71-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/2004-72-0x0000000000920000-0x0000000000C23000-memory.dmp

Filesize
3.0MB

Download
memory/2004-73-0x00000000004B0000-0x000000000053F000-memory.dmp

Filesize
572KB

Download
memory/2028-63-0x000000000041D040-mapping.dmp

Download
memory/2028-65-0x0000000000AA0000-0x0000000000DA3000-memory.dmp

Filesize
3.0MB

Download
memory/2028-66-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/2028-64-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads