xloader | 40713f300e2694a2f2e99d63fb94b1cd3d8cc01c33a801256103fcda45f94717

Analysis

max time kernel
150s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
13-05-2021 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

slot Charges.exe
Size

205KB
MD5

5830b69895c4f5b70d2f5c94cd718fa6
SHA1

4ccc32740d632777fd30c8029ca2ef6c3def984c
SHA256

735d11c1fa476083846e9e622af57a902ff20be1a1bbce7d8ec9f7f4179d1bb3
SHA512

a7763bd57e9e107992b7073ad02d0dc7981696a2cb7449ee20f8e5b233e61f5f029af23348c5225469c68c015ba8e20e18c8bd5f0b949863b620363edc24dd79

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

http://www.onyxcomputing.com/u8nw/

Decoy

constructionjadams.com

organicwellnessfarm.com

beautiful.tours

medvows.com

foxparanormal.com

fsmxmc.com

graniterealestategroup.net

qgi1.com

astrologicsolutions.com

rafbar.com

bastiontools.net

emotist.com

stacyleets.com

bloodtypealpha.com

healtybenenfitsplus.com

vavadadoa3.com

chefbenhk.com

dotgz.com

xn--z4qm188e645c.com

ethyi.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral22/memory/2808-117-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral22/memory/3340-123-0x0000000002840000-0x0000000002869000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

slot Charges.exe

pid process

572 slot Charges.exe

pid	process
572	slot Charges.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

slot Charges.exeslot Charges.exesvchost.exe

description	pid	process	target process
PID 572 set thread context of 2808	572	slot Charges.exe	slot Charges.exe
PID 2808 set thread context of 2988	2808	slot Charges.exe	Explorer.EXE
PID 3340 set thread context of 2988	3340	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

slot Charges.exesvchost.exe

pid	process
2808	slot Charges.exe
2808	slot Charges.exe
2808	slot Charges.exe
2808	slot Charges.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe
3340	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2988 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

slot Charges.exeslot Charges.exesvchost.exe

pid process

572 slot Charges.exe
2808 slot Charges.exe
2808 slot Charges.exe
2808 slot Charges.exe
3340 svchost.exe
3340 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

slot Charges.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2808 slot Charges.exe
Token: SeDebugPrivilege 3340 svchost.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

2988 Explorer.EXE
2988 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

2988 Explorer.EXE
2988 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2988 Explorer.EXE

pid	process
2988	Explorer.EXE

pid	process
572	slot Charges.exe
2808	slot Charges.exe
2808	slot Charges.exe
2808	slot Charges.exe
3340	svchost.exe
3340	svchost.exe

description	pid	process
Token: SeDebugPrivilege	2808	slot Charges.exe
Token: SeDebugPrivilege	3340	svchost.exe

pid	process
2988	Explorer.EXE
2988	Explorer.EXE

pid	process
2988	Explorer.EXE
2988	Explorer.EXE

pid	process
2988	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

slot Charges.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 572 wrote to memory of 2808	572	slot Charges.exe	slot Charges.exe
PID 572 wrote to memory of 2808	572	slot Charges.exe	slot Charges.exe
PID 572 wrote to memory of 2808	572	slot Charges.exe	slot Charges.exe
PID 572 wrote to memory of 2808	572	slot Charges.exe	slot Charges.exe
PID 2988 wrote to memory of 3340	2988	Explorer.EXE	svchost.exe
PID 2988 wrote to memory of 3340	2988	Explorer.EXE	svchost.exe
PID 2988 wrote to memory of 3340	2988	Explorer.EXE	svchost.exe
PID 3340 wrote to memory of 2380	3340	svchost.exe	cmd.exe
PID 3340 wrote to memory of 2380	3340	svchost.exe	cmd.exe
PID 3340 wrote to memory of 2380	3340	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\Temp\slot Charges.exe
"C:\Users\Admin\AppData\Local\Temp\slot Charges.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:572

C:\Users\Admin\AppData\Local\Temp\slot Charges.exe
"C:\Users\Admin\AppData\Local\Temp\slot Charges.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:3756

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\slot Charges.exe"
3⤵
PID:2380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy4EC3.tmp\2r8212a51w7v2sg.dll

MD5
49365ee03b9fe23b388339b8ac84bd9b

SHA1
fb94c016fd957d00dcd85c8ec9ac7ae677d314b1

SHA256
f9066e31398e722f92ddc2e7c58a51509b1963405358e1be714454c144644c2f

SHA512
a46fd827b213e39cbf0c584a94fd7219f98712d7e8ff3d7ced5924efc9f8521c1752f7774ed906d3f4a1bfc7c8ce49d8fb344567c59f140afa991321b40929b1

Download Submit
memory/572-115-0x00000000028A0000-0x00000000028C3000-memory.dmp

Filesize
140KB

Download
memory/2380-124-0x0000000000000000-mapping.dmp

Download
memory/2808-116-0x000000000041D0C0-mapping.dmp

Download
memory/2808-117-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2808-118-0x0000000000970000-0x0000000000C90000-memory.dmp

Filesize
3.1MB

Download
memory/2808-119-0x0000000000430000-0x000000000057A000-memory.dmp

Filesize
1.3MB

Download
memory/2988-120-0x00000000050E0000-0x0000000005218000-memory.dmp

Filesize
1.2MB

Download
memory/2988-127-0x0000000002A20000-0x0000000002AF8000-memory.dmp

Filesize
864KB

Download
memory/3340-122-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/3340-123-0x0000000002840000-0x0000000002869000-memory.dmp

Filesize
164KB

Download
memory/3340-121-0x0000000000000000-mapping.dmp

Download
memory/3340-125-0x0000000002E20000-0x0000000003140000-memory.dmp

Filesize
3.1MB

Download
memory/3340-126-0x0000000002B00000-0x0000000002B8F000-memory.dmp

Filesize
572KB

Download