xloader | 27cad802a32ea893bce26ae89b2c77825d4ece889932addbcb922ff2c3d73425

General

Target

dd5c7e917f28bbe04bb177571eadb4b6.exe
Size

863KB
MD5

dd5c7e917f28bbe04bb177571eadb4b6
SHA1

55160185c61347dbcaf4577f14f991d628c2ecf3
SHA256

27cad802a32ea893bce26ae89b2c77825d4ece889932addbcb922ff2c3d73425
SHA512

c6d38a321c98628b5dcbf3a4add12b4a11d21bcfc542a37d2a05525842eb0e31004f0482ad9415fb742883194f51e4a9072b6c0891c425b35befc0103fdd99aa

Score

10^/10

xloader ecuu loader persistence rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ecuu

C2

http://www.polaritelibrairie.com/ecuu/

Decoy

buoy8boats.com

tomrings.com

o-distribs.com

majesticgroupinc.com

tehridam.com

yzwjtoys.com

castro-online.run

aquarius-twins.com

jamesrrossfineart.com

pavarasupatthonkol.com

rivermarketdentistry.com

gyiblrjd.icu

redcountrypodcast.com

youngbrotherspharmacyga.com

betsysobiech.com

neocleanpro.com

ingpatrimoine.com

mustangsallytransportation.com

jsvfcxzn.com

krsfpjuoekcd.info

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1160-120-0x0000000000000000-mapping.dmp	xloader
behavioral2/memory/1160-129-0x0000000010410000-0x0000000010439000-memory.dmp	xloader
behavioral2/memory/1332-135-0x00000000025A0000-0x00000000025C9000-memory.dmp	xloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dd5c7e917f28bbe04bb177571eadb4b6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skxlgyf = "C:\\Users\\Public\\Libraries\\fyglxkS.url"	dd5c7e917f28bbe04bb177571eadb4b6.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

DpiScaling.exewlanext.exe

description	pid	process	target process
PID 1160 set thread context of 3008	1160	DpiScaling.exe	Explorer.EXE
PID 1332 set thread context of 3008	1332	wlanext.exe	Explorer.EXE

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

1136 reg.exe
2152 reg.exe
2236 reg.exe

pid	process
1136	reg.exe
2152	reg.exe
2236	reg.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

DpiScaling.exewlanext.exe

pid	process
1160	DpiScaling.exe
1160	DpiScaling.exe
1160	DpiScaling.exe
1160	DpiScaling.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe
1332	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3008 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

DpiScaling.exewlanext.exe

pid process

1160 DpiScaling.exe
1160 DpiScaling.exe
1160 DpiScaling.exe
1332 wlanext.exe
1332 wlanext.exe

pid	process
3008	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

DpiScaling.exewlanext.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1160	DpiScaling.exe
Token: SeDebugPrivilege	1332	wlanext.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3008 Explorer.EXE

pid	process
3008	Explorer.EXE

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

dd5c7e917f28bbe04bb177571eadb4b6.execmd.execmd.exeExplorer.EXEwlanext.execmd.exe

description	pid	process	target process
PID 3952 wrote to memory of 1160	3952	dd5c7e917f28bbe04bb177571eadb4b6.exe	DpiScaling.exe
PID 3952 wrote to memory of 1160	3952	dd5c7e917f28bbe04bb177571eadb4b6.exe	DpiScaling.exe
PID 3952 wrote to memory of 1160	3952	dd5c7e917f28bbe04bb177571eadb4b6.exe	DpiScaling.exe
PID 3952 wrote to memory of 1160	3952	dd5c7e917f28bbe04bb177571eadb4b6.exe	DpiScaling.exe
PID 3952 wrote to memory of 1160	3952	dd5c7e917f28bbe04bb177571eadb4b6.exe	DpiScaling.exe
PID 3952 wrote to memory of 1160	3952	dd5c7e917f28bbe04bb177571eadb4b6.exe	DpiScaling.exe
PID 3952 wrote to memory of 3976	3952	dd5c7e917f28bbe04bb177571eadb4b6.exe	cmd.exe
PID 3952 wrote to memory of 3976	3952	dd5c7e917f28bbe04bb177571eadb4b6.exe	cmd.exe
PID 3952 wrote to memory of 3976	3952	dd5c7e917f28bbe04bb177571eadb4b6.exe	cmd.exe
PID 3976 wrote to memory of 3828	3976	cmd.exe	cmd.exe
PID 3976 wrote to memory of 3828	3976	cmd.exe	cmd.exe
PID 3976 wrote to memory of 3828	3976	cmd.exe	cmd.exe
PID 3828 wrote to memory of 1136	3828	cmd.exe	reg.exe
PID 3828 wrote to memory of 1136	3828	cmd.exe	reg.exe
PID 3828 wrote to memory of 1136	3828	cmd.exe	reg.exe
PID 3828 wrote to memory of 2152	3828	cmd.exe	reg.exe
PID 3828 wrote to memory of 2152	3828	cmd.exe	reg.exe
PID 3828 wrote to memory of 2152	3828	cmd.exe	reg.exe
PID 3828 wrote to memory of 1940	3828	cmd.exe	schtasks.exe
PID 3828 wrote to memory of 1940	3828	cmd.exe	schtasks.exe
PID 3828 wrote to memory of 1940	3828	cmd.exe	schtasks.exe
PID 3008 wrote to memory of 1332	3008	Explorer.EXE	wlanext.exe
PID 3008 wrote to memory of 1332	3008	Explorer.EXE	wlanext.exe
PID 3008 wrote to memory of 1332	3008	Explorer.EXE	wlanext.exe
PID 1332 wrote to memory of 2672	1332	wlanext.exe	cmd.exe
PID 1332 wrote to memory of 2672	1332	wlanext.exe	cmd.exe
PID 1332 wrote to memory of 2672	1332	wlanext.exe	cmd.exe
PID 3952 wrote to memory of 4044	3952	dd5c7e917f28bbe04bb177571eadb4b6.exe	cmd.exe
PID 3952 wrote to memory of 4044	3952	dd5c7e917f28bbe04bb177571eadb4b6.exe	cmd.exe
PID 3952 wrote to memory of 4044	3952	dd5c7e917f28bbe04bb177571eadb4b6.exe	cmd.exe
PID 4044 wrote to memory of 2236	4044	cmd.exe	reg.exe
PID 4044 wrote to memory of 2236	4044	cmd.exe	reg.exe
PID 4044 wrote to memory of 2236	4044	cmd.exe	reg.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\dd5c7e917f28bbe04bb177571eadb4b6.exe
"C:\Users\Admin\AppData\Local\Temp\dd5c7e917f28bbe04bb177571eadb4b6.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\DpiScaling.exe
C:\Windows\System32\DpiScaling.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Trast.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
5⤵
- Modifies registry key
PID:1136

C:\Windows\SysWOW64\reg.exe
reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
5⤵
- Modifies registry key
PID:2152

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
5⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\nest.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
4⤵
- Modifies registry key
PID:2236

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\DpiScaling.exe"
3⤵
PID:2672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Trast.bat
MD5
4068c9f69fcd8a171c67f81d4a952a54

SHA1
4d2536a8c28cdcc17465e20d6693fb9e8e713b36

SHA256
24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810

SHA512
a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d

Download Submit
C:\Users\Public\UKO.bat
MD5
eaf8d967454c3bbddbf2e05a421411f8

SHA1
6170880409b24de75c2dc3d56a506fbff7f6622c

SHA256
f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56

SHA512
fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9

Download Submit
C:\Users\Public\nest.bat
MD5
8ada51400b7915de2124baaf75e3414c

SHA1
1a7b9db12184ab7fd7fce1c383f9670a00adb081

SHA256
45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7

SHA512
9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68

Download Submit
memory/1136-125-0x0000000000000000-mapping.dmp

Download
memory/1160-131-0x0000000000E00000-0x0000000000E10000-memory.dmp

Filesize
64KB

Download
memory/1160-128-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/1160-130-0x0000000004620000-0x0000000004940000-memory.dmp

Filesize
3.1MB

Download
memory/1160-120-0x0000000000000000-mapping.dmp

Download
memory/1160-129-0x0000000010410000-0x0000000010439000-memory.dmp

Filesize
164KB

Download
memory/1332-133-0x0000000000000000-mapping.dmp

Download
memory/1332-137-0x0000000002BC0000-0x0000000002EE0000-memory.dmp

Filesize
3.1MB

Download
memory/1332-141-0x0000000002990000-0x0000000002A1F000-memory.dmp

Filesize
572KB

Download
memory/1332-134-0x0000000000070000-0x0000000000087000-memory.dmp

Filesize
92KB

Download
memory/1332-135-0x00000000025A0000-0x00000000025C9000-memory.dmp

Filesize
164KB

Download
memory/1940-127-0x0000000000000000-mapping.dmp

Download
memory/2152-126-0x0000000000000000-mapping.dmp

Download
memory/2236-140-0x0000000000000000-mapping.dmp

Download
memory/2672-136-0x0000000000000000-mapping.dmp

Download
memory/3008-132-0x0000000002C00000-0x0000000002CED000-memory.dmp

Filesize
948KB

Download
memory/3008-142-0x0000000008660000-0x0000000008779000-memory.dmp

Filesize
1.1MB

Download
memory/3828-123-0x0000000000000000-mapping.dmp

Download
memory/3952-115-0x00000000004F0000-0x000000000059E000-memory.dmp

Filesize
696KB

Download
memory/3952-117-0x0000000002270000-0x000000000228B000-memory.dmp

Filesize
108KB

Download
memory/3976-121-0x0000000000000000-mapping.dmp

Download
memory/4044-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads