xloader | 6716f9ca37043f0684164a12c5971f67c738cefb8b8322556d970f60333d72b0

General

Target

PO_dated_11.05.2021.pdf.exe
Size

902KB
MD5

21e8676fede4e9e629ac0b0e36a3772a
SHA1

2643fb666f938fbdc0ce81994629a2ad152451af
SHA256

6716f9ca37043f0684164a12c5971f67c738cefb8b8322556d970f60333d72b0
SHA512

e527eec19599469bbecb64f502279a68b969920a3828524fdd455d232b3e9fdb14e4cda89623250ea6483113043ff48fa1fbe72c1b46c9ce5a0992661da00a54

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.ursulaaubri.com/s5cm/

Decoy

labibmasas.com

puppy-os.com

campingquick.com

bluewavewelding.com

qizhukeji.com

economiemalin.com

tomrings.com

mdduct.com

cloodgame.com

acadiepresse.com

daleradio.net

kampanyalisayfalar.digital

instrumentsets.com

centralcoastcardeals.com

xn--fiqyww2q3xd.xyz

annafelicia.com

vinkle.net

somebodyelsesdesigns.com

thatsohaute.com

gaoxiaoduan.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/384-68-0x000000000041D000-mapping.dmp	xloader
behavioral1/memory/384-67-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/924-75-0x0000000000090000-0x00000000000B8000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO_dated_11.05.2021.pdf.exeRegSvcs.exewuapp.exe

description	pid	process	target process
PID 1820 set thread context of 384	1820	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 384 set thread context of 1208	384	RegSvcs.exe	Explorer.EXE
PID 924 set thread context of 1208	924	wuapp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

736 schtasks.exe

pid	process
736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

PO_dated_11.05.2021.pdf.exeRegSvcs.exewuapp.exe

pid	process
1820	PO_dated_11.05.2021.pdf.exe
384	RegSvcs.exe
384	RegSvcs.exe
924	wuapp.exe
924	wuapp.exe
924	wuapp.exe
924	wuapp.exe
924	wuapp.exe
924	wuapp.exe
924	wuapp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exewuapp.exe

pid process

384 RegSvcs.exe
384 RegSvcs.exe
384 RegSvcs.exe
924 wuapp.exe
924 wuapp.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO_dated_11.05.2021.pdf.exeRegSvcs.exewuapp.exe

description pid process

Token: SeDebugPrivilege 1820 PO_dated_11.05.2021.pdf.exe
Token: SeDebugPrivilege 384 RegSvcs.exe
Token: SeDebugPrivilege 924 wuapp.exe

pid	process
384	RegSvcs.exe
384	RegSvcs.exe
384	RegSvcs.exe
924	wuapp.exe
924	wuapp.exe

description	pid	process
Token: SeDebugPrivilege	1820	PO_dated_11.05.2021.pdf.exe
Token: SeDebugPrivilege	384	RegSvcs.exe
Token: SeDebugPrivilege	924	wuapp.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

PO_dated_11.05.2021.pdf.exeExplorer.EXEwuapp.exe

description	pid	process	target process
PID 1820 wrote to memory of 736	1820	PO_dated_11.05.2021.pdf.exe	schtasks.exe
PID 1820 wrote to memory of 736	1820	PO_dated_11.05.2021.pdf.exe	schtasks.exe
PID 1820 wrote to memory of 736	1820	PO_dated_11.05.2021.pdf.exe	schtasks.exe
PID 1820 wrote to memory of 736	1820	PO_dated_11.05.2021.pdf.exe	schtasks.exe
PID 1820 wrote to memory of 816	1820	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 1820 wrote to memory of 816	1820	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 1820 wrote to memory of 816	1820	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 1820 wrote to memory of 816	1820	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 1820 wrote to memory of 816	1820	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 1820 wrote to memory of 816	1820	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 1820 wrote to memory of 816	1820	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 1820 wrote to memory of 384	1820	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 1820 wrote to memory of 384	1820	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 1820 wrote to memory of 384	1820	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 1820 wrote to memory of 384	1820	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 1820 wrote to memory of 384	1820	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 1820 wrote to memory of 384	1820	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 1820 wrote to memory of 384	1820	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 1820 wrote to memory of 384	1820	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 1820 wrote to memory of 384	1820	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 1820 wrote to memory of 384	1820	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 1208 wrote to memory of 924	1208	Explorer.EXE	wuapp.exe
PID 1208 wrote to memory of 924	1208	Explorer.EXE	wuapp.exe
PID 1208 wrote to memory of 924	1208	Explorer.EXE	wuapp.exe
PID 1208 wrote to memory of 924	1208	Explorer.EXE	wuapp.exe
PID 1208 wrote to memory of 924	1208	Explorer.EXE	wuapp.exe
PID 1208 wrote to memory of 924	1208	Explorer.EXE	wuapp.exe
PID 1208 wrote to memory of 924	1208	Explorer.EXE	wuapp.exe
PID 924 wrote to memory of 1136	924	wuapp.exe	cmd.exe
PID 924 wrote to memory of 1136	924	wuapp.exe	cmd.exe
PID 924 wrote to memory of 1136	924	wuapp.exe	cmd.exe
PID 924 wrote to memory of 1136	924	wuapp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\PO_dated_11.05.2021.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PO_dated_11.05.2021.pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sCTCScVl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp51F.tmp"
3⤵
- Creates scheduled task(s)
PID:736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1136

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp51F.tmp
MD5
403ecaa0f5a07f6f88a2379e99e8eb1a

SHA1
bddb503bf01da18b529f6d318c03b4bf89a0e7a2

SHA256
fceb01b71e59bd32e5257d165ee83976580f2243cd1ac090f0aed0c5300cdcd3

SHA512
3b1fb5fbacf11721c5894f1012e8d01cb8571dbf7e3be8006b569cc868fbdec3c27510a8b2b393825a834231f1c0b3cf889d88a93c2d9c553eae9e2b2c86a948

Download Submit
memory/384-71-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/384-70-0x0000000000AE0000-0x0000000000DE3000-memory.dmp

Filesize
3.0MB

Download
memory/384-67-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/384-68-0x000000000041D000-mapping.dmp

Download
memory/736-65-0x0000000000000000-mapping.dmp

Download
memory/924-73-0x0000000000000000-mapping.dmp

Download
memory/924-74-0x0000000000370000-0x000000000037B000-memory.dmp

Filesize
44KB

Download
memory/924-76-0x0000000001FE0000-0x00000000022E3000-memory.dmp

Filesize
3.0MB

Download
memory/924-75-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/924-78-0x0000000000410000-0x000000000049F000-memory.dmp

Filesize
572KB

Download
memory/1136-77-0x0000000000000000-mapping.dmp

Download
memory/1208-72-0x0000000004790000-0x0000000004880000-memory.dmp

Filesize
960KB

Download
memory/1208-79-0x0000000004CF0000-0x0000000004E3D000-memory.dmp

Filesize
1.3MB

Download
memory/1820-64-0x0000000004CB0000-0x0000000004D34000-memory.dmp

Filesize
528KB

Download
memory/1820-63-0x0000000005230000-0x00000000052F8000-memory.dmp

Filesize
800KB

Download
memory/1820-62-0x0000000000580000-0x0000000000584000-memory.dmp

Filesize
16KB

Download
memory/1820-61-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/1820-59-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads