xloader | 13bce5abe3e50d2d91387b5de52da3b3339e0139d01072cca59114de61c58c44

General

Target

NEW ORDER DWG.exe
Size

64KB
MD5

29aa61fab0d0a3868c1bfc5af0573740
SHA1

6d0d3f16b8210385416f80d5dd52f88bc22d78b2
SHA256

13bce5abe3e50d2d91387b5de52da3b3339e0139d01072cca59114de61c58c44
SHA512

4c05803880d69203b9baee670638841c01e1065c3da0c93af38ab7c8e4cdf53e263c92e41105a2ec28af9247c6371636e915fdb15572f3495e0d381174625516

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.sayhellosarah.com/0tog/

Decoy

corona-info.space

laleach.com

dofreemovies.com

buntunm3.com

oxfordplainsdragway.info

hillsoverlandgear.com

unserenervos.xyz

mateacs.com

galepresbyterian.net

onlineorderingmadeeazy.com

simplyrhodeisland.com

vacandsew360.com

aspokanehome.com

shirleyswigshopinc.com

ymtfb16.com

yourpublishinganddesign.com

cbdafy.com

txtravelnurse.com

atonalai.net

ndiatv.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3768-128-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3768-129-0x000000000041CFE0-mapping.dmp	xloader
behavioral2/memory/1316-135-0x0000000000BA0000-0x0000000000BC8000-memory.dmp	xloader

Drops startup file 3 IoCs

Processes:

cmd.exeNEW ORDER DWG.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEW ORDER DWG.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEW ORDER DWG.exe	NEW ORDER DWG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEW ORDER DWG.exe	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

NEW ORDER DWG.exeNEW ORDER DWG.execmd.exe

description	pid	process	target process
PID 3728 set thread context of 3768	3728	NEW ORDER DWG.exe	NEW ORDER DWG.exe
PID 3768 set thread context of 3028	3768	NEW ORDER DWG.exe	Explorer.EXE
PID 1316 set thread context of 3028	1316	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

NEW ORDER DWG.exeNEW ORDER DWG.execmd.exe

pid	process
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3728	NEW ORDER DWG.exe
3768	NEW ORDER DWG.exe
3768	NEW ORDER DWG.exe
3768	NEW ORDER DWG.exe
3768	NEW ORDER DWG.exe
1316	cmd.exe
1316	cmd.exe
1316	cmd.exe
1316	cmd.exe
1316	cmd.exe
1316	cmd.exe
1316	cmd.exe
1316	cmd.exe
1316	cmd.exe
1316	cmd.exe
1316	cmd.exe
1316	cmd.exe
1316	cmd.exe
1316	cmd.exe
1316	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3028 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

NEW ORDER DWG.execmd.exe

pid process

3768 NEW ORDER DWG.exe
3768 NEW ORDER DWG.exe
3768 NEW ORDER DWG.exe
1316 cmd.exe
1316 cmd.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

NEW ORDER DWG.exeNEW ORDER DWG.execmd.exe

description pid process

Token: SeDebugPrivilege 3728 NEW ORDER DWG.exe
Token: SeDebugPrivilege 3768 NEW ORDER DWG.exe
Token: SeDebugPrivilege 1316 cmd.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3028 Explorer.EXE

pid	process
3028	Explorer.EXE

pid	process
3768	NEW ORDER DWG.exe
3768	NEW ORDER DWG.exe
3768	NEW ORDER DWG.exe
1316	cmd.exe
1316	cmd.exe

description	pid	process
Token: SeDebugPrivilege	3728	NEW ORDER DWG.exe
Token: SeDebugPrivilege	3768	NEW ORDER DWG.exe
Token: SeDebugPrivilege	1316	cmd.exe

pid	process
3028	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

NEW ORDER DWG.exeExplorer.EXE

description	pid	process	target process
PID 3728 wrote to memory of 1116	3728	NEW ORDER DWG.exe	cmd.exe
PID 3728 wrote to memory of 1116	3728	NEW ORDER DWG.exe	cmd.exe
PID 3728 wrote to memory of 1116	3728	NEW ORDER DWG.exe	cmd.exe
PID 3728 wrote to memory of 3768	3728	NEW ORDER DWG.exe	NEW ORDER DWG.exe
PID 3728 wrote to memory of 3768	3728	NEW ORDER DWG.exe	NEW ORDER DWG.exe
PID 3728 wrote to memory of 3768	3728	NEW ORDER DWG.exe	NEW ORDER DWG.exe
PID 3728 wrote to memory of 3768	3728	NEW ORDER DWG.exe	NEW ORDER DWG.exe
PID 3728 wrote to memory of 3768	3728	NEW ORDER DWG.exe	NEW ORDER DWG.exe
PID 3728 wrote to memory of 3768	3728	NEW ORDER DWG.exe	NEW ORDER DWG.exe
PID 3028 wrote to memory of 1316	3028	Explorer.EXE	cmd.exe
PID 3028 wrote to memory of 1316	3028	Explorer.EXE	cmd.exe
PID 3028 wrote to memory of 1316	3028	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\NEW ORDER DWG.exe
  "C:\Users\Admin\AppData\Local\Temp\NEW ORDER DWG.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Copy "C:\Users\Admin\AppData\Local\Temp\NEW ORDER DWG.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEW ORDER DWG.exe"
    3⤵
    - Drops startup file
    PID:1116
- - C:\Users\Admin\AppData\Local\Temp\NEW ORDER DWG.exe
    "C:\Users\Admin\AppData\Local\Temp\NEW ORDER DWG.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEW ORDER DWG.exe

MD5
29aa61fab0d0a3868c1bfc5af0573740

SHA1
6d0d3f16b8210385416f80d5dd52f88bc22d78b2

SHA256
13bce5abe3e50d2d91387b5de52da3b3339e0139d01072cca59114de61c58c44

SHA512
4c05803880d69203b9baee670638841c01e1065c3da0c93af38ab7c8e4cdf53e263c92e41105a2ec28af9247c6371636e915fdb15572f3495e0d381174625516

Download Submit
memory/1116-124-0x0000000000000000-mapping.dmp

Download
memory/1316-137-0x0000000003290000-0x000000000331F000-memory.dmp

Filesize
572KB

Download
memory/1316-136-0x00000000038B0000-0x0000000003BD0000-memory.dmp

Filesize
3.1MB

Download
memory/1316-134-0x0000000001080000-0x00000000010D9000-memory.dmp

Filesize
356KB

Download
memory/1316-135-0x0000000000BA0000-0x0000000000BC8000-memory.dmp

Filesize
160KB

Download
memory/1316-133-0x0000000000000000-mapping.dmp

Download
memory/3028-138-0x0000000006E30000-0x0000000006F5C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-132-0x00000000071C0000-0x000000000729E000-memory.dmp

Filesize
888KB

Download
memory/3728-121-0x0000000005DB0000-0x0000000005DDF000-memory.dmp

Filesize
188KB

Download
memory/3728-119-0x0000000004DB0000-0x00000000052AE000-memory.dmp

Filesize
5.0MB

Download
memory/3728-123-0x00000000060F0000-0x00000000060F1000-memory.dmp

Filesize
4KB

Download
memory/3728-127-0x0000000006050000-0x00000000060EC000-memory.dmp

Filesize
624KB

Download
memory/3728-125-0x0000000006200000-0x0000000006201000-memory.dmp

Filesize
4KB

Download
memory/3728-116-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/3728-117-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/3728-118-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/3728-122-0x0000000005E00000-0x0000000005E01000-memory.dmp

Filesize
4KB

Download
memory/3728-114-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/3728-120-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/3768-128-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3768-130-0x0000000001900000-0x0000000001C20000-memory.dmp

Filesize
3.1MB

Download
memory/3768-131-0x0000000001610000-0x0000000001620000-memory.dmp

Filesize
64KB

Download
memory/3768-129-0x000000000041CFE0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads