xloader | 8eac1ee2c601de814b716a91238a115f7294ed39fa0c0bf69eeb318ac9792284

General

Target

NEW ORDER RE PO88224.PDF.exe
Size

465KB
MD5

a88e3833ee5ccb2434ee90aa645a8894
SHA1

b6e78de80bbdc7748dfcbea47bc43593b587b075
SHA256

4dfab25d3ccff9a33396c252590c27c57f23f9a94b11ebd9834b23981b0908e6
SHA512

becf2614d5196c2b43f74c94f76cc0e9e21ffc75edd8a3ec8057a01ed9e8cfce755590228174692e4935861406627f7048fcf0294007b62148c5ece9f065af77

Score

10^/10

xloader ny9y loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ny9y

C2

http://www.caddomain.com/ny9y/

Decoy

prelovedboutiqe.com

zhantool.com

grypeguidgorge.com

aa6588.com

privateerspacecompany.space

phil-goodman.com

jckabogados.com

familybeautifull.com

probinns.com

angelika-fritz.online

mygeeb.com

481344.com

freesoft.pro

extracter.store

fasxpay.com

hnjxcd.com

wfot2002.com

worldexecutor.com

tongxintachangjia.com

zachtippit.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3960-124-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3960-125-0x000000000041D470-mapping.dmp	xloader
behavioral2/memory/836-134-0x0000000004D10000-0x0000000004D39000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

Processes:

NEW ORDER RE PO88224.PDF.exeNEW ORDER RE PO88224.PDF.exechkdsk.exe

description	pid	process	target process
PID 4060 set thread context of 3960	4060	NEW ORDER RE PO88224.PDF.exe	NEW ORDER RE PO88224.PDF.exe
PID 3960 set thread context of 3016	3960	NEW ORDER RE PO88224.PDF.exe	Explorer.EXE
PID 3960 set thread context of 3016	3960	NEW ORDER RE PO88224.PDF.exe	Explorer.EXE
PID 836 set thread context of 3016	836	chkdsk.exe	Explorer.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

NEW ORDER RE PO88224.PDF.exechkdsk.exe

pid	process
3960	NEW ORDER RE PO88224.PDF.exe
3960	NEW ORDER RE PO88224.PDF.exe
3960	NEW ORDER RE PO88224.PDF.exe
3960	NEW ORDER RE PO88224.PDF.exe
3960	NEW ORDER RE PO88224.PDF.exe
3960	NEW ORDER RE PO88224.PDF.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe
836	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3016 Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

NEW ORDER RE PO88224.PDF.exechkdsk.exe

pid	process
3960	NEW ORDER RE PO88224.PDF.exe
3960	NEW ORDER RE PO88224.PDF.exe
3960	NEW ORDER RE PO88224.PDF.exe
3960	NEW ORDER RE PO88224.PDF.exe
836	chkdsk.exe
836	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

NEW ORDER RE PO88224.PDF.exechkdsk.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3960	NEW ORDER RE PO88224.PDF.exe
Token: SeDebugPrivilege	836	chkdsk.exe
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

Explorer.EXE

pid	process
3016	Explorer.EXE
3016	Explorer.EXE
3016	Explorer.EXE
3016	Explorer.EXE
3016	Explorer.EXE
3016	Explorer.EXE
3016	Explorer.EXE
3016	Explorer.EXE
3016	Explorer.EXE
3016	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

3016 Explorer.EXE
3016 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3016 Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

NEW ORDER RE PO88224.PDF.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 4060 wrote to memory of 3960	4060	NEW ORDER RE PO88224.PDF.exe	NEW ORDER RE PO88224.PDF.exe
PID 4060 wrote to memory of 3960	4060	NEW ORDER RE PO88224.PDF.exe	NEW ORDER RE PO88224.PDF.exe
PID 4060 wrote to memory of 3960	4060	NEW ORDER RE PO88224.PDF.exe	NEW ORDER RE PO88224.PDF.exe
PID 4060 wrote to memory of 3960	4060	NEW ORDER RE PO88224.PDF.exe	NEW ORDER RE PO88224.PDF.exe
PID 4060 wrote to memory of 3960	4060	NEW ORDER RE PO88224.PDF.exe	NEW ORDER RE PO88224.PDF.exe
PID 4060 wrote to memory of 3960	4060	NEW ORDER RE PO88224.PDF.exe	NEW ORDER RE PO88224.PDF.exe
PID 3016 wrote to memory of 836	3016	Explorer.EXE	chkdsk.exe
PID 3016 wrote to memory of 836	3016	Explorer.EXE	chkdsk.exe
PID 3016 wrote to memory of 836	3016	Explorer.EXE	chkdsk.exe
PID 836 wrote to memory of 1224	836	chkdsk.exe	cmd.exe
PID 836 wrote to memory of 1224	836	chkdsk.exe	cmd.exe
PID 836 wrote to memory of 1224	836	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\NEW ORDER RE PO88224.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\NEW ORDER RE PO88224.PDF.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4060

C:\Users\Admin\AppData\Local\Temp\NEW ORDER RE PO88224.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\NEW ORDER RE PO88224.PDF.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\NEW ORDER RE PO88224.PDF.exe"
3⤵
PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/836-136-0x0000000005280000-0x0000000005310000-memory.dmp

Filesize
576KB

Download
memory/836-135-0x0000000005610000-0x0000000005930000-memory.dmp

Filesize
3.1MB

Download
memory/836-133-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download
memory/836-134-0x0000000004D10000-0x0000000004D39000-memory.dmp

Filesize
164KB

Download
memory/836-131-0x0000000000000000-mapping.dmp

Download
memory/1224-132-0x0000000000000000-mapping.dmp

Download
memory/3016-128-0x0000000005840000-0x000000000599B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-137-0x0000000006AA0000-0x0000000006BEA000-memory.dmp

Filesize
1.3MB

Download
memory/3016-130-0x00000000059A0000-0x0000000005AE3000-memory.dmp

Filesize
1.3MB

Download
memory/3960-129-0x0000000001440000-0x0000000001451000-memory.dmp

Filesize
68KB

Download
memory/3960-125-0x000000000041D470-mapping.dmp

Download
memory/3960-127-0x0000000001400000-0x0000000001411000-memory.dmp

Filesize
68KB

Download
memory/3960-126-0x00000000010E0000-0x0000000001400000-memory.dmp

Filesize
3.1MB

Download
memory/3960-124-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4060-122-0x0000000007400000-0x0000000007468000-memory.dmp

Filesize
416KB

Download
memory/4060-114-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/4060-123-0x0000000007470000-0x00000000074A8000-memory.dmp

Filesize
224KB

Download
memory/4060-121-0x00000000050D0000-0x00000000050D4000-memory.dmp

Filesize
16KB

Download
memory/4060-120-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download
memory/4060-119-0x0000000004A90000-0x0000000004B22000-memory.dmp

Filesize
584KB

Download
memory/4060-118-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/4060-117-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/4060-116-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads