xloader | fe7963c745b7d108598bca84509b76be6527a01d00fca0228af857279619692f

General

Target

RFQ37548854,PDF.exe
Size

358KB
MD5

a52dd168224f0cdee9acbb6672235873
SHA1

ec2752f36ba84ccac2584774b5fb120585c3863c
SHA256

c5c262746be953a1731d5682c808ca401d4509446cf409b544c2b5524cce2e69
SHA512

3f420de65287e3164430755eac595e14dd4b381ffd6c5b7dc9cc1eb28360fe2d53f1998fb3bc26f53158c8426dbb8feda0385c7826299b8c5dee58018cc8d15b

Score

10^/10

xloader gv6d loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

gv6d

C2

http://www.breakaway.uk/gv6d/

Decoy

bigfatgay.com

czrsgd168.com

bnkinvestments.com

uhchearingfl.com

hooktowingco.com

bold2x.com

dirtyhandsdigital.com

princetonreviewes.com

typhoonmusicgroup.com

onlinemathcoach.net

safecareethiopia.net

alvarogdeo.com

access-sca-login.pro

handbagswholesalemaster.com

whoaservices.com

telemunndopr.com

dream2works.com

itemconfirmation.com

kentebags.com

chennaipremium.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/872-116-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/904-122-0x0000000002F20000-0x0000000002F48000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

RFQ37548854,PDF.exe

pid process

596 RFQ37548854,PDF.exe

pid	process
596	RFQ37548854,PDF.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

RFQ37548854,PDF.exeRFQ37548854,PDF.exemstsc.exe

description	pid	process	target process
PID 596 set thread context of 872	596	RFQ37548854,PDF.exe	RFQ37548854,PDF.exe
PID 872 set thread context of 1964	872	RFQ37548854,PDF.exe	Explorer.EXE
PID 904 set thread context of 1964	904	mstsc.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

RFQ37548854,PDF.exemstsc.exe

pid	process
872	RFQ37548854,PDF.exe
872	RFQ37548854,PDF.exe
872	RFQ37548854,PDF.exe
872	RFQ37548854,PDF.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe
904	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1964 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RFQ37548854,PDF.exeRFQ37548854,PDF.exemstsc.exe

pid process

596 RFQ37548854,PDF.exe
872 RFQ37548854,PDF.exe
872 RFQ37548854,PDF.exe
872 RFQ37548854,PDF.exe
904 mstsc.exe
904 mstsc.exe

pid	process
1964	Explorer.EXE

pid	process
596	RFQ37548854,PDF.exe
872	RFQ37548854,PDF.exe
872	RFQ37548854,PDF.exe
872	RFQ37548854,PDF.exe
904	mstsc.exe
904	mstsc.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

RFQ37548854,PDF.exemstsc.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	872	RFQ37548854,PDF.exe
Token: SeDebugPrivilege	904	mstsc.exe
Token: SeShutdownPrivilege	1964	Explorer.EXE
Token: SeCreatePagefilePrivilege	1964	Explorer.EXE
Token: SeShutdownPrivilege	1964	Explorer.EXE
Token: SeCreatePagefilePrivilege	1964	Explorer.EXE
Token: SeShutdownPrivilege	1964	Explorer.EXE
Token: SeCreatePagefilePrivilege	1964	Explorer.EXE
Token: SeShutdownPrivilege	1964	Explorer.EXE
Token: SeCreatePagefilePrivilege	1964	Explorer.EXE
Token: SeShutdownPrivilege	1964	Explorer.EXE
Token: SeCreatePagefilePrivilege	1964	Explorer.EXE
Token: SeShutdownPrivilege	1964	Explorer.EXE
Token: SeCreatePagefilePrivilege	1964	Explorer.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

Explorer.EXE

pid process

1964 Explorer.EXE
1964 Explorer.EXE
1964 Explorer.EXE
1964 Explorer.EXE
1964 Explorer.EXE
1964 Explorer.EXE
1964 Explorer.EXE
1964 Explorer.EXE

pid	process
1964	Explorer.EXE
1964	Explorer.EXE
1964	Explorer.EXE
1964	Explorer.EXE
1964	Explorer.EXE
1964	Explorer.EXE
1964	Explorer.EXE
1964	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

RFQ37548854,PDF.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 596 wrote to memory of 872	596	RFQ37548854,PDF.exe	RFQ37548854,PDF.exe
PID 596 wrote to memory of 872	596	RFQ37548854,PDF.exe	RFQ37548854,PDF.exe
PID 596 wrote to memory of 872	596	RFQ37548854,PDF.exe	RFQ37548854,PDF.exe
PID 596 wrote to memory of 872	596	RFQ37548854,PDF.exe	RFQ37548854,PDF.exe
PID 1964 wrote to memory of 904	1964	Explorer.EXE	mstsc.exe
PID 1964 wrote to memory of 904	1964	Explorer.EXE	mstsc.exe
PID 1964 wrote to memory of 904	1964	Explorer.EXE	mstsc.exe
PID 904 wrote to memory of 1204	904	mstsc.exe	cmd.exe
PID 904 wrote to memory of 1204	904	mstsc.exe	cmd.exe
PID 904 wrote to memory of 1204	904	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\RFQ37548854,PDF.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ37548854,PDF.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:596

C:\Users\Admin\AppData\Local\Temp\RFQ37548854,PDF.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ37548854,PDF.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RFQ37548854,PDF.exe"
3⤵
PID:1204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsd9F2A.tmp\totcxeabva.dll
MD5
89aee5fb46042439e7f4688264409ee6

SHA1
a2b83ba525c28a4a257cd796eac82fca58ee3616

SHA256
1f52fd925d4342b75828f06d797d792ae14eb4be888b1a0a917c93949bd16d8a

SHA512
4e4311570b3c1e11d59b31f5942b533d8d89d5c733befc42a9bddfae52cea83d40f5c4f67095233b92727fc4656e4239bde3d9ed6fa7f6711696c9ad0105beb4

Download Submit
memory/872-115-0x000000000041CFC0-mapping.dmp

Download
memory/872-117-0x0000000000AB0000-0x0000000000DD0000-memory.dmp

Filesize
3.1MB

Download
memory/872-116-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/872-118-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/904-120-0x0000000000000000-mapping.dmp

Download
memory/904-122-0x0000000002F20000-0x0000000002F48000-memory.dmp

Filesize
160KB

Download
memory/904-123-0x0000000004A40000-0x0000000004D60000-memory.dmp

Filesize
3.1MB

Download
memory/904-121-0x0000000000220000-0x000000000051C000-memory.dmp

Filesize
3.0MB

Download
memory/904-125-0x0000000004790000-0x000000000481F000-memory.dmp

Filesize
572KB

Download
memory/1204-124-0x0000000000000000-mapping.dmp

Download
memory/1964-119-0x00000000056D0000-0x0000000005869000-memory.dmp

Filesize
1.6MB

Download
memory/1964-126-0x00000000012C0000-0x0000000001356000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads