xloader | 6716f9ca37043f0684164a12c5971f67c738cefb8b8322556d970f60333d72b0

General

Target

PO_dated_11.05.2021.pdf.exe
Size

902KB
MD5

21e8676fede4e9e629ac0b0e36a3772a
SHA1

2643fb666f938fbdc0ce81994629a2ad152451af
SHA256

6716f9ca37043f0684164a12c5971f67c738cefb8b8322556d970f60333d72b0
SHA512

e527eec19599469bbecb64f502279a68b969920a3828524fdd455d232b3e9fdb14e4cda89623250ea6483113043ff48fa1fbe72c1b46c9ce5a0992661da00a54

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.ursulaaubri.com/s5cm/

Decoy

labibmasas.com

puppy-os.com

campingquick.com

bluewavewelding.com

qizhukeji.com

economiemalin.com

tomrings.com

mdduct.com

cloodgame.com

acadiepresse.com

daleradio.net

kampanyalisayfalar.digital

instrumentsets.com

centralcoastcardeals.com

xn--fiqyww2q3xd.xyz

annafelicia.com

vinkle.net

somebodyelsesdesigns.com

thatsohaute.com

gaoxiaoduan.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1264-128-0x000000000041D000-mapping.dmp	xloader
behavioral2/memory/1264-127-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3676-137-0x00000000005B0000-0x00000000005D8000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

Processes:

PO_dated_11.05.2021.pdf.exeRegSvcs.execontrol.exe

description	pid	process	target process
PID 652 set thread context of 1264	652	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 1264 set thread context of 3052	1264	RegSvcs.exe	Explorer.EXE
PID 1264 set thread context of 3052	1264	RegSvcs.exe	Explorer.EXE
PID 3676 set thread context of 3052	3676	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1248 schtasks.exe

pid	process
1248	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

PO_dated_11.05.2021.pdf.exeRegSvcs.execontrol.exe

pid	process
652	PO_dated_11.05.2021.pdf.exe
652	PO_dated_11.05.2021.pdf.exe
652	PO_dated_11.05.2021.pdf.exe
652	PO_dated_11.05.2021.pdf.exe
652	PO_dated_11.05.2021.pdf.exe
1264	RegSvcs.exe
1264	RegSvcs.exe
1264	RegSvcs.exe
1264	RegSvcs.exe
1264	RegSvcs.exe
1264	RegSvcs.exe
3676	control.exe
3676	control.exe
3676	control.exe
3676	control.exe
3676	control.exe
3676	control.exe
3676	control.exe
3676	control.exe
3676	control.exe
3676	control.exe
3676	control.exe
3676	control.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegSvcs.execontrol.exe

pid process

1264 RegSvcs.exe
1264 RegSvcs.exe
1264 RegSvcs.exe
1264 RegSvcs.exe
3676 control.exe
3676 control.exe

pid	process
1264	RegSvcs.exe
1264	RegSvcs.exe
1264	RegSvcs.exe
1264	RegSvcs.exe
3676	control.exe
3676	control.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO_dated_11.05.2021.pdf.exeRegSvcs.execontrol.exe

description	pid	process
Token: SeDebugPrivilege	652	PO_dated_11.05.2021.pdf.exe
Token: SeDebugPrivilege	1264	RegSvcs.exe
Token: SeDebugPrivilege	3676	control.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

PO_dated_11.05.2021.pdf.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 652 wrote to memory of 1248	652	PO_dated_11.05.2021.pdf.exe	schtasks.exe
PID 652 wrote to memory of 1248	652	PO_dated_11.05.2021.pdf.exe	schtasks.exe
PID 652 wrote to memory of 1248	652	PO_dated_11.05.2021.pdf.exe	schtasks.exe
PID 652 wrote to memory of 3632	652	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 652 wrote to memory of 3632	652	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 652 wrote to memory of 3632	652	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 652 wrote to memory of 1276	652	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 652 wrote to memory of 1276	652	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 652 wrote to memory of 1276	652	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 652 wrote to memory of 1264	652	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 652 wrote to memory of 1264	652	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 652 wrote to memory of 1264	652	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 652 wrote to memory of 1264	652	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 652 wrote to memory of 1264	652	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 652 wrote to memory of 1264	652	PO_dated_11.05.2021.pdf.exe	RegSvcs.exe
PID 3052 wrote to memory of 3676	3052	Explorer.EXE	control.exe
PID 3052 wrote to memory of 3676	3052	Explorer.EXE	control.exe
PID 3052 wrote to memory of 3676	3052	Explorer.EXE	control.exe
PID 3676 wrote to memory of 1004	3676	control.exe	cmd.exe
PID 3676 wrote to memory of 1004	3676	control.exe	cmd.exe
PID 3676 wrote to memory of 1004	3676	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\PO_dated_11.05.2021.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PO_dated_11.05.2021.pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sCTCScVl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp199E.tmp"
3⤵
- Creates scheduled task(s)
PID:1248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:3632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:916

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp199E.tmp
MD5
90ea0ffdb00dbb57f8414f6c5edb5db7

SHA1
ef2f88fa789e451356ca231db6194e57fa581790

SHA256
897362c8e96231ec02ab6d5a9efb58a340ec1d34395f053161fb6da38e3161ca

SHA512
c6252f14bef3afbe102f7afa31acb413b2c5ba6b7acea896e6ae0d0960216557b4ff937d1a586aee6adb7283f7eb30c263b79058f41ebad0dfb47abea8f3db0e

Download Submit
memory/652-121-0x0000000002A30000-0x0000000002ACC000-memory.dmp

Filesize
624KB

Download
memory/652-117-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/652-118-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/652-119-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/652-120-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/652-122-0x0000000005330000-0x0000000005334000-memory.dmp

Filesize
16KB

Download
memory/652-123-0x0000000005FF0000-0x00000000060B8000-memory.dmp

Filesize
800KB

Download
memory/652-124-0x0000000005550000-0x00000000055D4000-memory.dmp

Filesize
528KB

Download
memory/652-116-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/652-114-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/1004-139-0x0000000000000000-mapping.dmp

Download
memory/1248-125-0x0000000000000000-mapping.dmp

Download
memory/1264-128-0x000000000041D000-mapping.dmp

Download
memory/1264-130-0x0000000001150000-0x0000000001470000-memory.dmp

Filesize
3.1MB

Download
memory/1264-131-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/1264-133-0x00000000014B0000-0x00000000014C0000-memory.dmp

Filesize
64KB

Download
memory/1264-127-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3052-132-0x0000000005C80000-0x0000000005E02000-memory.dmp

Filesize
1.5MB

Download
memory/3052-134-0x0000000005E10000-0x0000000005F7E000-memory.dmp

Filesize
1.4MB

Download
memory/3052-141-0x0000000006270000-0x00000000063FF000-memory.dmp

Filesize
1.6MB

Download
memory/3676-135-0x0000000000000000-mapping.dmp

Download
memory/3676-136-0x0000000001220000-0x0000000001240000-memory.dmp

Filesize
128KB

Download
memory/3676-137-0x00000000005B0000-0x00000000005D8000-memory.dmp

Filesize
160KB

Download
memory/3676-138-0x00000000047E0000-0x0000000004B00000-memory.dmp

Filesize
3.1MB

Download
memory/3676-140-0x00000000010A0000-0x000000000112F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads