xloader | feff12adf312ac89d4e5625650514d1fd28cb6ba417e3e27c45e4b1c5548cd68

General

Target

New order.exe
Size

205KB
MD5

c30480523e2f0d910f78aea742cb9c3a
SHA1

1edfdb02b75931f824ee82640283671be10398b4
SHA256

2eb57ff3dfafc142e693dd878044f38cb02090cbef35246b2525d19abf0fbaf5
SHA512

ad5289ced6ec2757af225d7830cab9684ee6e2a00a2088626d29b1d100920fde69062932d351d9d4a946ca269f4ba89800ad2ba02c198940204f94584c63b94d

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.onyxcomputing.com/u8nw/

Decoy

constructionjadams.com

organicwellnessfarm.com

beautiful.tours

medvows.com

foxparanormal.com

fsmxmc.com

graniterealestategroup.net

qgi1.com

astrologicsolutions.com

rafbar.com

bastiontools.net

emotist.com

stacyleets.com

bloodtypealpha.com

healtybenenfitsplus.com

vavadadoa3.com

chefbenhk.com

dotgz.com

xn--z4qm188e645c.com

ethyi.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1980-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1736-70-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1224 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

New order.exe

pid process

484 New order.exe

pid	process
1224	cmd.exe

pid	process
484	New order.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

New order.exeNew order.exeNETSTAT.EXE

description	pid	process	target process
PID 484 set thread context of 1980	484	New order.exe	New order.exe
PID 1980 set thread context of 1228	1980	New order.exe	Explorer.EXE
PID 1736 set thread context of 1228	1736	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

1736 NETSTAT.EXE

pid	process
1736	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

New order.exeNETSTAT.EXE

pid	process
1980	New order.exe
1980	New order.exe
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE
1736	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

New order.exeNew order.exeNETSTAT.EXE

pid process

484 New order.exe
1980 New order.exe
1980 New order.exe
1980 New order.exe
1736 NETSTAT.EXE
1736 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

New order.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 1980 New order.exe
Token: SeDebugPrivilege 1736 NETSTAT.EXE
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE

pid	process
1228	Explorer.EXE

pid	process
484	New order.exe
1980	New order.exe
1980	New order.exe
1980	New order.exe
1736	NETSTAT.EXE
1736	NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1980	New order.exe
Token: SeDebugPrivilege	1736	NETSTAT.EXE

pid	process
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE

pid	process
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

New order.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 484 wrote to memory of 1980	484	New order.exe	New order.exe
PID 484 wrote to memory of 1980	484	New order.exe	New order.exe
PID 484 wrote to memory of 1980	484	New order.exe	New order.exe
PID 484 wrote to memory of 1980	484	New order.exe	New order.exe
PID 484 wrote to memory of 1980	484	New order.exe	New order.exe
PID 1228 wrote to memory of 1736	1228	Explorer.EXE	NETSTAT.EXE
PID 1228 wrote to memory of 1736	1228	Explorer.EXE	NETSTAT.EXE
PID 1228 wrote to memory of 1736	1228	Explorer.EXE	NETSTAT.EXE
PID 1228 wrote to memory of 1736	1228	Explorer.EXE	NETSTAT.EXE
PID 1736 wrote to memory of 1224	1736	NETSTAT.EXE	cmd.exe
PID 1736 wrote to memory of 1224	1736	NETSTAT.EXE	cmd.exe
PID 1736 wrote to memory of 1224	1736	NETSTAT.EXE	cmd.exe
PID 1736 wrote to memory of 1224	1736	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\New order.exe
"C:\Users\Admin\AppData\Local\Temp\New order.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:484

C:\Users\Admin\AppData\Local\Temp\New order.exe
"C:\Users\Admin\AppData\Local\Temp\New order.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\New order.exe"
3⤵
- Deletes itself
PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsx208C.tmp\dpra.dll
MD5
3feb8ed49836d35cbab9f2bb9dfaa428

SHA1
c2a418b93c0bb81ef62267bfed522250321791db

SHA256
92dab948f60160d5aba56d2c8c30d83b0a7247ec4e3a8cccc74adb6ef799f051

SHA512
fe765d282f7fa205a0661f62c6023d71d08818b400c2a20fd868b8c66fdbe5a62218b570292423c1dc02c8881610f3dde55ae7dbbd86b7df3ae2e46d447ed732

Download Submit
memory/484-61-0x0000000000500000-0x0000000000502000-memory.dmp

Filesize
8KB

Download
memory/484-59-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1224-68-0x0000000000000000-mapping.dmp

Download
memory/1228-73-0x0000000004190000-0x0000000004281000-memory.dmp

Filesize
964KB

Download
memory/1228-66-0x0000000004D00000-0x0000000004E07000-memory.dmp

Filesize
1.0MB

Download
memory/1736-70-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1736-72-0x0000000001DC0000-0x0000000001E4F000-memory.dmp

Filesize
572KB

Download
memory/1736-69-0x00000000002C0000-0x00000000002C9000-memory.dmp

Filesize
36KB

Download
memory/1736-67-0x0000000000000000-mapping.dmp

Download
memory/1736-71-0x0000000002000000-0x0000000002303000-memory.dmp

Filesize
3.0MB

Download
memory/1980-62-0x000000000041D0C0-mapping.dmp

Download
memory/1980-64-0x0000000000890000-0x0000000000B93000-memory.dmp

Filesize
3.0MB

Download
memory/1980-65-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1980-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads