xloader | a7ad626a9a14d2e0bbf3c43954a8c9497b69e8c8b27fbdfc7d6fdf699613a6bc

General

Target

muestras de productos.exe
Size

927KB
MD5

0f346a68db9aa51d88cc26ed28920b51
SHA1

6013587a5e74bc0a6314f6491138937392911ed0
SHA256

a7ad626a9a14d2e0bbf3c43954a8c9497b69e8c8b27fbdfc7d6fdf699613a6bc
SHA512

c7b00ac68416c445ac55a3893e03a268a746ef3bf49be1baddb69057d09209ebdaac3cd251d000ed2dbc847b00b0b4c672241cc1e225b069b3ac76565cd6b5f6

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.recareerrecruiter.com/w56m/

Decoy

damai.zone

mywishbookweb.cloud

sandilakeclothing.bid

joysell.net

hackedwhores.com

sjdibang.com

memaquiahiga.com

bleeckerbobs.net

emmettthomas.com

thesheetz.com

mimik33.info

prettyprettybartending.com

3173596.com

shwangjia.com

sightuiop.com

tinnitusnow.online

mahadevexporters.com

cleaninglanarkshire.com

ibiaozhi.net

upinfame.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1504-68-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1504-69-0x000000000041D060-mapping.dmp	xloader
behavioral1/memory/1792-78-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

Processes:

muestras de productos.exeRegSvcs.execmmon32.exe

description	pid	process	target process
PID 1304 set thread context of 1504	1304	muestras de productos.exe	RegSvcs.exe
PID 1504 set thread context of 1204	1504	RegSvcs.exe	Explorer.EXE
PID 1504 set thread context of 1204	1504	RegSvcs.exe	Explorer.EXE
PID 1792 set thread context of 1204	1792	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1484 schtasks.exe

pid	process
1484	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

muestras de productos.exeRegSvcs.execmmon32.exe

pid	process
1304	muestras de productos.exe
1304	muestras de productos.exe
1504	RegSvcs.exe
1504	RegSvcs.exe
1504	RegSvcs.exe
1792	cmmon32.exe
1792	cmmon32.exe
1792	cmmon32.exe
1792	cmmon32.exe
1792	cmmon32.exe
1792	cmmon32.exe
1792	cmmon32.exe
1792	cmmon32.exe
1792	cmmon32.exe
1792	cmmon32.exe
1792	cmmon32.exe
1792	cmmon32.exe
1792	cmmon32.exe
1792	cmmon32.exe
1792	cmmon32.exe
1792	cmmon32.exe
1792	cmmon32.exe
1792	cmmon32.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegSvcs.execmmon32.exe

pid process

1504 RegSvcs.exe
1504 RegSvcs.exe
1504 RegSvcs.exe
1504 RegSvcs.exe
1792 cmmon32.exe
1792 cmmon32.exe

pid	process
1504	RegSvcs.exe
1504	RegSvcs.exe
1504	RegSvcs.exe
1504	RegSvcs.exe
1792	cmmon32.exe
1792	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

muestras de productos.exeRegSvcs.execmmon32.exe

description	pid	process
Token: SeDebugPrivilege	1304	muestras de productos.exe
Token: SeDebugPrivilege	1504	RegSvcs.exe
Token: SeDebugPrivilege	1792	cmmon32.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE

pid	process
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE

pid	process
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

muestras de productos.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 1304 wrote to memory of 1484	1304	muestras de productos.exe	schtasks.exe
PID 1304 wrote to memory of 1484	1304	muestras de productos.exe	schtasks.exe
PID 1304 wrote to memory of 1484	1304	muestras de productos.exe	schtasks.exe
PID 1304 wrote to memory of 1484	1304	muestras de productos.exe	schtasks.exe
PID 1304 wrote to memory of 568	1304	muestras de productos.exe	RegSvcs.exe
PID 1304 wrote to memory of 568	1304	muestras de productos.exe	RegSvcs.exe
PID 1304 wrote to memory of 568	1304	muestras de productos.exe	RegSvcs.exe
PID 1304 wrote to memory of 568	1304	muestras de productos.exe	RegSvcs.exe
PID 1304 wrote to memory of 568	1304	muestras de productos.exe	RegSvcs.exe
PID 1304 wrote to memory of 568	1304	muestras de productos.exe	RegSvcs.exe
PID 1304 wrote to memory of 568	1304	muestras de productos.exe	RegSvcs.exe
PID 1304 wrote to memory of 1504	1304	muestras de productos.exe	RegSvcs.exe
PID 1304 wrote to memory of 1504	1304	muestras de productos.exe	RegSvcs.exe
PID 1304 wrote to memory of 1504	1304	muestras de productos.exe	RegSvcs.exe
PID 1304 wrote to memory of 1504	1304	muestras de productos.exe	RegSvcs.exe
PID 1304 wrote to memory of 1504	1304	muestras de productos.exe	RegSvcs.exe
PID 1304 wrote to memory of 1504	1304	muestras de productos.exe	RegSvcs.exe
PID 1304 wrote to memory of 1504	1304	muestras de productos.exe	RegSvcs.exe
PID 1304 wrote to memory of 1504	1304	muestras de productos.exe	RegSvcs.exe
PID 1304 wrote to memory of 1504	1304	muestras de productos.exe	RegSvcs.exe
PID 1304 wrote to memory of 1504	1304	muestras de productos.exe	RegSvcs.exe
PID 1204 wrote to memory of 1792	1204	Explorer.EXE	cmmon32.exe
PID 1204 wrote to memory of 1792	1204	Explorer.EXE	cmmon32.exe
PID 1204 wrote to memory of 1792	1204	Explorer.EXE	cmmon32.exe
PID 1204 wrote to memory of 1792	1204	Explorer.EXE	cmmon32.exe
PID 1792 wrote to memory of 1740	1792	cmmon32.exe	cmd.exe
PID 1792 wrote to memory of 1740	1792	cmmon32.exe	cmd.exe
PID 1792 wrote to memory of 1740	1792	cmmon32.exe	cmd.exe
PID 1792 wrote to memory of 1740	1792	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Local\Temp\muestras de productos.exe
"C:\Users\Admin\AppData\Local\Temp\muestras de productos.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbhLWEXYu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F66.tmp"
3⤵
- Creates scheduled task(s)
PID:1484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6F66.tmp
MD5
23a930e960b18b1c2eab548edacefa02

SHA1
ff77aa49992aba8c8de3c3fcf37505a50ff56021

SHA256
08433cc9750585f7d26d994b2657a0035f8162ac4b9af67844bac35a49308647

SHA512
097fa935f12506759a69fda20c4717551c42356ed619a46a090ca34f1b786015e2a67ddae0b29c7b2ef81e00c9e2209faf4910ee210121cca3964bbf931b32fc

Download Submit
memory/1204-81-0x0000000006530000-0x000000000665A000-memory.dmp

Filesize
1.2MB

Download
memory/1204-74-0x0000000005F20000-0x0000000006021000-memory.dmp

Filesize
1.0MB

Download
memory/1204-72-0x0000000005E40000-0x0000000005F1C000-memory.dmp

Filesize
880KB

Download
memory/1304-60-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1304-62-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/1304-63-0x0000000000380000-0x0000000000391000-memory.dmp

Filesize
68KB

Download
memory/1304-64-0x00000000056F0000-0x0000000005762000-memory.dmp

Filesize
456KB

Download
memory/1304-65-0x0000000000510000-0x000000000053D000-memory.dmp

Filesize
180KB

Download
memory/1484-66-0x0000000000000000-mapping.dmp

Download
memory/1504-71-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/1504-70-0x0000000000AC0000-0x0000000000DC3000-memory.dmp

Filesize
3.0MB

Download
memory/1504-69-0x000000000041D060-mapping.dmp

Download
memory/1504-73-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download
memory/1504-68-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1740-76-0x0000000000000000-mapping.dmp

Download
memory/1792-75-0x0000000000000000-mapping.dmp

Download
memory/1792-78-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1792-77-0x0000000000430000-0x000000000043D000-memory.dmp

Filesize
52KB

Download
memory/1792-79-0x0000000002020000-0x0000000002323000-memory.dmp

Filesize
3.0MB

Download
memory/1792-80-0x0000000001D50000-0x0000000001DE0000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads