xloader | fe7963c745b7d108598bca84509b76be6527a01d00fca0228af857279619692f

General

Target

RFQ37548854,PDF.exe
Size

358KB
MD5

a52dd168224f0cdee9acbb6672235873
SHA1

ec2752f36ba84ccac2584774b5fb120585c3863c
SHA256

c5c262746be953a1731d5682c808ca401d4509446cf409b544c2b5524cce2e69
SHA512

3f420de65287e3164430755eac595e14dd4b381ffd6c5b7dc9cc1eb28360fe2d53f1998fb3bc26f53158c8426dbb8feda0385c7826299b8c5dee58018cc8d15b

Score

10^/10

xloader gv6d loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

gv6d

C2

http://www.breakaway.uk/gv6d/

Decoy

bigfatgay.com

czrsgd168.com

bnkinvestments.com

uhchearingfl.com

hooktowingco.com

bold2x.com

dirtyhandsdigital.com

princetonreviewes.com

typhoonmusicgroup.com

onlinemathcoach.net

safecareethiopia.net

alvarogdeo.com

access-sca-login.pro

handbagswholesalemaster.com

whoaservices.com

telemunndopr.com

dream2works.com

itemconfirmation.com

kentebags.com

chennaipremium.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1736-57-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/964-65-0x00000000000C0000-0x00000000000E8000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1332 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

RFQ37548854,PDF.exe

pid process

1348 RFQ37548854,PDF.exe

pid	process
1332	cmd.exe

pid	process
1348	RFQ37548854,PDF.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

RFQ37548854,PDF.exeRFQ37548854,PDF.execontrol.exe

description	pid	process	target process
PID 1348 set thread context of 1736	1348	RFQ37548854,PDF.exe	RFQ37548854,PDF.exe
PID 1736 set thread context of 1204	1736	RFQ37548854,PDF.exe	Explorer.EXE
PID 964 set thread context of 1204	964	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

RFQ37548854,PDF.execontrol.exe

pid	process
1736	RFQ37548854,PDF.exe
1736	RFQ37548854,PDF.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe
964	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RFQ37548854,PDF.exeRFQ37548854,PDF.execontrol.exe

pid process

1348 RFQ37548854,PDF.exe
1736 RFQ37548854,PDF.exe
1736 RFQ37548854,PDF.exe
1736 RFQ37548854,PDF.exe
964 control.exe
964 control.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RFQ37548854,PDF.execontrol.exe

description pid process

Token: SeDebugPrivilege 1736 RFQ37548854,PDF.exe
Token: SeDebugPrivilege 964 control.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE
1204 Explorer.EXE

pid	process
1204	Explorer.EXE

pid	process
1348	RFQ37548854,PDF.exe
1736	RFQ37548854,PDF.exe
1736	RFQ37548854,PDF.exe
1736	RFQ37548854,PDF.exe
964	control.exe
964	control.exe

description	pid	process
Token: SeDebugPrivilege	1736	RFQ37548854,PDF.exe
Token: SeDebugPrivilege	964	control.exe

pid	process
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE

pid	process
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

RFQ37548854,PDF.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 1348 wrote to memory of 1736	1348	RFQ37548854,PDF.exe	RFQ37548854,PDF.exe
PID 1348 wrote to memory of 1736	1348	RFQ37548854,PDF.exe	RFQ37548854,PDF.exe
PID 1348 wrote to memory of 1736	1348	RFQ37548854,PDF.exe	RFQ37548854,PDF.exe
PID 1348 wrote to memory of 1736	1348	RFQ37548854,PDF.exe	RFQ37548854,PDF.exe
PID 1348 wrote to memory of 1736	1348	RFQ37548854,PDF.exe	RFQ37548854,PDF.exe
PID 1204 wrote to memory of 964	1204	Explorer.EXE	control.exe
PID 1204 wrote to memory of 964	1204	Explorer.EXE	control.exe
PID 1204 wrote to memory of 964	1204	Explorer.EXE	control.exe
PID 1204 wrote to memory of 964	1204	Explorer.EXE	control.exe
PID 964 wrote to memory of 1332	964	control.exe	cmd.exe
PID 964 wrote to memory of 1332	964	control.exe	cmd.exe
PID 964 wrote to memory of 1332	964	control.exe	cmd.exe
PID 964 wrote to memory of 1332	964	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Local\Temp\RFQ37548854,PDF.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ37548854,PDF.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\RFQ37548854,PDF.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ37548854,PDF.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RFQ37548854,PDF.exe"
3⤵
- Deletes itself
PID:1332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nslE3BA.tmp\totcxeabva.dll
MD5
89aee5fb46042439e7f4688264409ee6

SHA1
a2b83ba525c28a4a257cd796eac82fca58ee3616

SHA256
1f52fd925d4342b75828f06d797d792ae14eb4be888b1a0a917c93949bd16d8a

SHA512
4e4311570b3c1e11d59b31f5942b533d8d89d5c733befc42a9bddfae52cea83d40f5c4f67095233b92727fc4656e4239bde3d9ed6fa7f6711696c9ad0105beb4

Download Submit
memory/964-61-0x0000000000000000-mapping.dmp

Download
memory/964-67-0x0000000000700000-0x000000000078F000-memory.dmp

Filesize
572KB

Download
memory/964-66-0x0000000002020000-0x0000000002323000-memory.dmp

Filesize
3.0MB

Download
memory/964-65-0x00000000000C0000-0x00000000000E8000-memory.dmp

Filesize
160KB

Download
memory/964-64-0x00000000007A0000-0x00000000007BF000-memory.dmp

Filesize
124KB

Download
memory/1204-60-0x00000000049E0000-0x0000000004B3E000-memory.dmp

Filesize
1.4MB

Download
memory/1204-68-0x0000000004B40000-0x0000000004C62000-memory.dmp

Filesize
1.1MB

Download
memory/1332-63-0x0000000000000000-mapping.dmp

Download
memory/1348-54-0x00000000768C1000-0x00000000768C3000-memory.dmp

Filesize
8KB

Download
memory/1736-59-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/1736-57-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1736-58-0x0000000000210000-0x0000000000220000-memory.dmp

Filesize
64KB

Download
memory/1736-56-0x000000000041CFC0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads