xloader | 7e0a23b6d3ed3afd6d96e3b30ee48deea20f2252a3b4f1e4d9d770121004951c

General

Target

PURCHASE ORDER 72121.exe
Size

661KB
MD5

a5964d858bf1688f2de5746ec08dabf5
SHA1

26e09b1f04394ff24d59c353c0d46b54afd8d363
SHA256

c1ac4c50a78b858365062dc71a9fe5f3a3bdf39b4d8902b1f8311f2c2a86064b
SHA512

bbd68474c00caaf56d82ddc688d6e523976b020736ab848683fcdbc5c647f36e52121b09866540bc3253ad4e86bc260be3e99886fc519a405e04e24ac13d4bb4

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.appackersandmoversbengaluru.com/p4se/

Decoy

weightlossforprofessionals.com

talkotstopandshop.com

everesttechsolutions.com

garboarts.com

esubastas-online.com

electriclastmile.com

tomio.tech

jacoty.com

knot-tied-up.com

energychoicesim.com

rocketcompaniessham.com

madarasapattinam.com

promosplace.com

newstarchurch.com

thesaleskitchen.com

slingmodeinc.com

jobresulthub.com

pillclk.com

shipu119.com

sibalcar.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/592-65-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/592-66-0x000000000041D0F0-mapping.dmp	xloader
behavioral1/memory/1148-73-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1112 cmd.exe

pid	process
1112	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

PURCHASE ORDER 72121.exePURCHASE ORDER 72121.exechkdsk.exe

description	pid	process	target process
PID 1836 set thread context of 592	1836	PURCHASE ORDER 72121.exe	PURCHASE ORDER 72121.exe
PID 592 set thread context of 1208	592	PURCHASE ORDER 72121.exe	Explorer.EXE
PID 1148 set thread context of 1208	1148	chkdsk.exe	Explorer.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

PURCHASE ORDER 72121.exechkdsk.exe

pid	process
592	PURCHASE ORDER 72121.exe
592	PURCHASE ORDER 72121.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PURCHASE ORDER 72121.exechkdsk.exe

pid process

592 PURCHASE ORDER 72121.exe
592 PURCHASE ORDER 72121.exe
592 PURCHASE ORDER 72121.exe
1148 chkdsk.exe
1148 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PURCHASE ORDER 72121.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 592 PURCHASE ORDER 72121.exe
Token: SeDebugPrivilege 1148 chkdsk.exe

description	pid	process
Token: SeDebugPrivilege	592	PURCHASE ORDER 72121.exe
Token: SeDebugPrivilege	1148	chkdsk.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

PURCHASE ORDER 72121.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 1836 wrote to memory of 592	1836	PURCHASE ORDER 72121.exe	PURCHASE ORDER 72121.exe
PID 1836 wrote to memory of 592	1836	PURCHASE ORDER 72121.exe	PURCHASE ORDER 72121.exe
PID 1836 wrote to memory of 592	1836	PURCHASE ORDER 72121.exe	PURCHASE ORDER 72121.exe
PID 1836 wrote to memory of 592	1836	PURCHASE ORDER 72121.exe	PURCHASE ORDER 72121.exe
PID 1836 wrote to memory of 592	1836	PURCHASE ORDER 72121.exe	PURCHASE ORDER 72121.exe
PID 1836 wrote to memory of 592	1836	PURCHASE ORDER 72121.exe	PURCHASE ORDER 72121.exe
PID 1836 wrote to memory of 592	1836	PURCHASE ORDER 72121.exe	PURCHASE ORDER 72121.exe
PID 1208 wrote to memory of 1148	1208	Explorer.EXE	chkdsk.exe
PID 1208 wrote to memory of 1148	1208	Explorer.EXE	chkdsk.exe
PID 1208 wrote to memory of 1148	1208	Explorer.EXE	chkdsk.exe
PID 1208 wrote to memory of 1148	1208	Explorer.EXE	chkdsk.exe
PID 1148 wrote to memory of 1112	1148	chkdsk.exe	cmd.exe
PID 1148 wrote to memory of 1112	1148	chkdsk.exe	cmd.exe
PID 1148 wrote to memory of 1112	1148	chkdsk.exe	cmd.exe
PID 1148 wrote to memory of 1112	1148	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER 72121.exe
  "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER 72121.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER 72121.exe
    "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER 72121.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:592
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER 72121.exe"
    3⤵
    - Deletes itself
    PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/592-65-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/592-67-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/592-68-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/592-66-0x000000000041D0F0-mapping.dmp

Download
memory/1112-71-0x0000000000000000-mapping.dmp

Download
memory/1148-72-0x0000000000450000-0x0000000000457000-memory.dmp

Filesize
28KB

Download
memory/1148-70-0x0000000000000000-mapping.dmp

Download
memory/1148-74-0x0000000002090000-0x0000000002393000-memory.dmp

Filesize
3.0MB

Download
memory/1148-73-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1148-75-0x0000000001F40000-0x0000000001FCF000-memory.dmp

Filesize
572KB

Download
memory/1208-69-0x0000000006FC0000-0x00000000070DF000-memory.dmp

Filesize
1.1MB

Download
memory/1208-76-0x0000000004A00000-0x0000000004B28000-memory.dmp

Filesize
1.2MB

Download
memory/1836-64-0x00000000008C0000-0x00000000008F0000-memory.dmp

Filesize
192KB

Download
memory/1836-63-0x0000000005160000-0x00000000051D5000-memory.dmp

Filesize
468KB

Download
memory/1836-62-0x0000000000480000-0x000000000049B000-memory.dmp

Filesize
108KB

Download
memory/1836-61-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/1836-59-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads