xloader | a7ad626a9a14d2e0bbf3c43954a8c9497b69e8c8b27fbdfc7d6fdf699613a6bc

General

Target

muestras de productos.exe
Size

927KB
MD5

0f346a68db9aa51d88cc26ed28920b51
SHA1

6013587a5e74bc0a6314f6491138937392911ed0
SHA256

a7ad626a9a14d2e0bbf3c43954a8c9497b69e8c8b27fbdfc7d6fdf699613a6bc
SHA512

c7b00ac68416c445ac55a3893e03a268a746ef3bf49be1baddb69057d09209ebdaac3cd251d000ed2dbc847b00b0b4c672241cc1e225b069b3ac76565cd6b5f6

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.recareerrecruiter.com/w56m/

Decoy

damai.zone

mywishbookweb.cloud

sandilakeclothing.bid

joysell.net

hackedwhores.com

sjdibang.com

memaquiahiga.com

bleeckerbobs.net

emmettthomas.com

thesheetz.com

mimik33.info

prettyprettybartending.com

3173596.com

shwangjia.com

sightuiop.com

tinnitusnow.online

mahadevexporters.com

cleaninglanarkshire.com

ibiaozhi.net

upinfame.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2160-126-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2160-127-0x000000000041D060-mapping.dmp	xloader
behavioral2/memory/2580-133-0x0000000002D30000-0x0000000002D59000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

muestras de productos.exeRegSvcs.execmd.exe

description	pid	process	target process
PID 2576 set thread context of 2160	2576	muestras de productos.exe	RegSvcs.exe
PID 2160 set thread context of 2680	2160	RegSvcs.exe	Explorer.EXE
PID 2580 set thread context of 2680	2580	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4016 schtasks.exe

pid	process
4016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

muestras de productos.exeRegSvcs.execmd.exe

pid	process
2576	muestras de productos.exe
2576	muestras de productos.exe
2160	RegSvcs.exe
2160	RegSvcs.exe
2160	RegSvcs.exe
2160	RegSvcs.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe
2580	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2680 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.execmd.exe

pid process

2160 RegSvcs.exe
2160 RegSvcs.exe
2160 RegSvcs.exe
2580 cmd.exe
2580 cmd.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

muestras de productos.exeRegSvcs.execmd.exe

description pid process

Token: SeDebugPrivilege 2576 muestras de productos.exe
Token: SeDebugPrivilege 2160 RegSvcs.exe
Token: SeDebugPrivilege 2580 cmd.exe

pid	process
2680	Explorer.EXE

pid	process
2160	RegSvcs.exe
2160	RegSvcs.exe
2160	RegSvcs.exe
2580	cmd.exe
2580	cmd.exe

description	pid	process
Token: SeDebugPrivilege	2576	muestras de productos.exe
Token: SeDebugPrivilege	2160	RegSvcs.exe
Token: SeDebugPrivilege	2580	cmd.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

muestras de productos.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2576 wrote to memory of 4016	2576	muestras de productos.exe	schtasks.exe
PID 2576 wrote to memory of 4016	2576	muestras de productos.exe	schtasks.exe
PID 2576 wrote to memory of 4016	2576	muestras de productos.exe	schtasks.exe
PID 2576 wrote to memory of 2016	2576	muestras de productos.exe	RegSvcs.exe
PID 2576 wrote to memory of 2016	2576	muestras de productos.exe	RegSvcs.exe
PID 2576 wrote to memory of 2016	2576	muestras de productos.exe	RegSvcs.exe
PID 2576 wrote to memory of 2160	2576	muestras de productos.exe	RegSvcs.exe
PID 2576 wrote to memory of 2160	2576	muestras de productos.exe	RegSvcs.exe
PID 2576 wrote to memory of 2160	2576	muestras de productos.exe	RegSvcs.exe
PID 2576 wrote to memory of 2160	2576	muestras de productos.exe	RegSvcs.exe
PID 2576 wrote to memory of 2160	2576	muestras de productos.exe	RegSvcs.exe
PID 2576 wrote to memory of 2160	2576	muestras de productos.exe	RegSvcs.exe
PID 2680 wrote to memory of 2580	2680	Explorer.EXE	cmd.exe
PID 2680 wrote to memory of 2580	2680	Explorer.EXE	cmd.exe
PID 2680 wrote to memory of 2580	2680	Explorer.EXE	cmd.exe
PID 2580 wrote to memory of 1928	2580	cmd.exe	cmd.exe
PID 2580 wrote to memory of 1928	2580	cmd.exe	cmd.exe
PID 2580 wrote to memory of 1928	2580	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2680

C:\Users\Admin\AppData\Local\Temp\muestras de productos.exe
"C:\Users\Admin\AppData\Local\Temp\muestras de productos.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbhLWEXYu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp158C.tmp"
3⤵
- Creates scheduled task(s)
PID:4016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp158C.tmp
MD5
51046f44d3b13e6df91287f6f07f9ad1

SHA1
15065549d4c034e68fdea9f041b37927fc6f1fff

SHA256
b14226c535441ee7f016b78abf7cb1eb609e117206443d7d80b9c60e1be15ccc

SHA512
e90665b9e8105ade9272edc2705ee3f731291e2a560f48a7453ddaaff83809bcce800d4f0163880e3bdb4f560858e0f877ef7f28e9f53b1bbb918458a32f6001

Download Submit
memory/1928-134-0x0000000000000000-mapping.dmp

Download
memory/2160-129-0x0000000001100000-0x0000000001111000-memory.dmp

Filesize
68KB

Download
memory/2160-128-0x0000000001120000-0x0000000001440000-memory.dmp

Filesize
3.1MB

Download
memory/2160-127-0x000000000041D060-mapping.dmp

Download
memory/2160-126-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2576-120-0x0000000005820000-0x0000000005D1E000-memory.dmp

Filesize
5.0MB

Download
memory/2576-116-0x0000000005D20000-0x0000000005D21000-memory.dmp

Filesize
4KB

Download
memory/2576-123-0x00000000075E0000-0x000000000760D000-memory.dmp

Filesize
180KB

Download
memory/2576-122-0x0000000007560000-0x00000000075D2000-memory.dmp

Filesize
456KB

Download
memory/2576-121-0x0000000005340000-0x0000000005351000-memory.dmp

Filesize
68KB

Download
memory/2576-114-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/2576-119-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/2576-118-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/2576-117-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/2580-131-0x0000000000000000-mapping.dmp

Download
memory/2580-132-0x00000000003E0000-0x0000000000439000-memory.dmp

Filesize
356KB

Download
memory/2580-133-0x0000000002D30000-0x0000000002D59000-memory.dmp

Filesize
164KB

Download
memory/2580-135-0x0000000003040000-0x0000000003360000-memory.dmp

Filesize
3.1MB

Download
memory/2580-136-0x00000000033F0000-0x0000000003480000-memory.dmp

Filesize
576KB

Download
memory/2680-130-0x0000000006920000-0x0000000006A40000-memory.dmp

Filesize
1.1MB

Download
memory/2680-137-0x0000000003290000-0x000000000337D000-memory.dmp

Filesize
948KB

Download
memory/4016-124-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads