GLEASON_QT2309.exe

General
Target

GLEASON_QT2309.exe

Filesize

642KB

Completed

24-09-2021 11:24

Score
10 /10
MD5

d601604552146dd9a412f1db8ff0cdd4

SHA1

8dc649c53d100c5d1f1330dc5ba33c680208d7f8

SHA256

3121d773a680fbac7dc37f75c38ae8ef20f1b88915cc0b83ca9bf2bf7c22ee94

Malware Config

Extracted

Family xloader
Version 2.5
Campaign g9vg
C2

http://www.supra413.com/g9vg/

Decoy

selenebrennan.com

htsfrance.com

monsieurtechno.com

argosy.city

lit-clouds.com

emilio-m.com

crashycraft.net

washmebro.com

1houroflife.com

millershaga.com

newtonpod.com

camopants.net

animator-show.com

qqzome.com

assetacre.com

letsmakeyourchoice.com

gileadpreferences.com

ecomarklifestyle.com

mivaautomotive.com

rattle100.com

askfortesting.com

majorelectricalwork.com

blockbotprofit.com

lanceseuexpert.online

zatventure.com

fitnessbykc.com

renatafaceandbodyskincare.com

opusmime.com

biyimeilou.com

soulhospitalitygroup.net

peaktradecapital.com

augmentedfact.com

petmall.website

rfmanutencoes.com

mgav40.xyz

konzertmanagement.com

thisisweenz.com

xn--42cg2czax6ptae6a.com

scienceworldapub.com

perfumeriavictory.com

ankarasinirsizescortlar.xyz

keenflat.com

fodfus.com

bright-tailor.com

spaciolb.com

pinkpolishseattle.com

homewebmailz.com

devple.com

cimehey9.xyz

tracks-clicks.com

Signatures 11

Filter: none

Discovery
  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/964-60-0x0000000000400000-0x0000000000429000-memory.dmpxloader
    behavioral1/memory/964-61-0x000000000041D450-mapping.dmpxloader
    behavioral1/memory/960-69-0x0000000000080000-0x00000000000A9000-memory.dmpxloader
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    268cmd.exe
  • Suspicious use of SetThreadContext
    GLEASON_QT2309.exeGLEASON_QT2309.exechkdsk.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1324 set thread context of 9641324GLEASON_QT2309.exeGLEASON_QT2309.exe
    PID 964 set thread context of 1244964GLEASON_QT2309.exeExplorer.EXE
    PID 964 set thread context of 1244964GLEASON_QT2309.exeExplorer.EXE
    PID 960 set thread context of 1244960chkdsk.exeExplorer.EXE
  • Enumerates system info in registry
    chkdsk.exe

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifierchkdsk.exe
  • Suspicious behavior: EnumeratesProcesses
    GLEASON_QT2309.exechkdsk.exe

    Reported IOCs

    pidprocess
    964GLEASON_QT2309.exe
    964GLEASON_QT2309.exe
    964GLEASON_QT2309.exe
    960chkdsk.exe
    960chkdsk.exe
    960chkdsk.exe
    960chkdsk.exe
    960chkdsk.exe
    960chkdsk.exe
    960chkdsk.exe
    960chkdsk.exe
    960chkdsk.exe
    960chkdsk.exe
    960chkdsk.exe
    960chkdsk.exe
    960chkdsk.exe
    960chkdsk.exe
    960chkdsk.exe
    960chkdsk.exe
    960chkdsk.exe
    960chkdsk.exe
    960chkdsk.exe
    960chkdsk.exe
  • Suspicious behavior: MapViewOfSection
    GLEASON_QT2309.exechkdsk.exe

    Reported IOCs

    pidprocess
    964GLEASON_QT2309.exe
    964GLEASON_QT2309.exe
    964GLEASON_QT2309.exe
    964GLEASON_QT2309.exe
    960chkdsk.exe
    960chkdsk.exe
  • Suspicious use of AdjustPrivilegeToken
    GLEASON_QT2309.exechkdsk.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege964GLEASON_QT2309.exe
    Token: SeDebugPrivilege960chkdsk.exe
  • Suspicious use of FindShellTrayWindow
    Explorer.EXE

    Reported IOCs

    pidprocess
    1244Explorer.EXE
    1244Explorer.EXE
  • Suspicious use of SendNotifyMessage
    Explorer.EXE

    Reported IOCs

    pidprocess
    1244Explorer.EXE
    1244Explorer.EXE
  • Suspicious use of WriteProcessMemory
    GLEASON_QT2309.exeExplorer.EXEchkdsk.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1324 wrote to memory of 9641324GLEASON_QT2309.exeGLEASON_QT2309.exe
    PID 1324 wrote to memory of 9641324GLEASON_QT2309.exeGLEASON_QT2309.exe
    PID 1324 wrote to memory of 9641324GLEASON_QT2309.exeGLEASON_QT2309.exe
    PID 1324 wrote to memory of 9641324GLEASON_QT2309.exeGLEASON_QT2309.exe
    PID 1324 wrote to memory of 9641324GLEASON_QT2309.exeGLEASON_QT2309.exe
    PID 1324 wrote to memory of 9641324GLEASON_QT2309.exeGLEASON_QT2309.exe
    PID 1324 wrote to memory of 9641324GLEASON_QT2309.exeGLEASON_QT2309.exe
    PID 1244 wrote to memory of 9601244Explorer.EXEchkdsk.exe
    PID 1244 wrote to memory of 9601244Explorer.EXEchkdsk.exe
    PID 1244 wrote to memory of 9601244Explorer.EXEchkdsk.exe
    PID 1244 wrote to memory of 9601244Explorer.EXEchkdsk.exe
    PID 960 wrote to memory of 268960chkdsk.execmd.exe
    PID 960 wrote to memory of 268960chkdsk.execmd.exe
    PID 960 wrote to memory of 268960chkdsk.execmd.exe
    PID 960 wrote to memory of 268960chkdsk.execmd.exe
Processes 5
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Users\Admin\AppData\Local\Temp\GLEASON_QT2309.exe
      "C:\Users\Admin\AppData\Local\Temp\GLEASON_QT2309.exe"
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1324
      • C:\Users\Admin\AppData\Local\Temp\GLEASON_QT2309.exe
        "C:\Users\Admin\AppData\Local\Temp\GLEASON_QT2309.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:964
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      Suspicious use of SetThreadContext
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:960
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\GLEASON_QT2309.exe"
        Deletes itself
        PID:268
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/268-70-0x0000000000000000-mapping.dmp

                        • memory/960-68-0x00000000006F0000-0x00000000006F7000-memory.dmp

                        • memory/960-72-0x0000000002270000-0x0000000002300000-memory.dmp

                        • memory/960-71-0x0000000001F60000-0x0000000002263000-memory.dmp

                        • memory/960-69-0x0000000000080000-0x00000000000A9000-memory.dmp

                        • memory/960-67-0x0000000000000000-mapping.dmp

                        • memory/964-60-0x0000000000400000-0x0000000000429000-memory.dmp

                        • memory/964-63-0x0000000000290000-0x00000000002A1000-memory.dmp

                        • memory/964-62-0x0000000000930000-0x0000000000C33000-memory.dmp

                        • memory/964-65-0x00000000002D0000-0x00000000002E1000-memory.dmp

                        • memory/964-61-0x000000000041D450-mapping.dmp

                        • memory/1244-64-0x00000000061A0000-0x00000000062BB000-memory.dmp

                        • memory/1244-66-0x0000000006010000-0x0000000006115000-memory.dmp

                        • memory/1244-73-0x00000000062C0000-0x0000000006396000-memory.dmp

                        • memory/1324-59-0x0000000000BA0000-0x0000000000BD7000-memory.dmp

                        • memory/1324-58-0x0000000004FA0000-0x0000000005006000-memory.dmp

                        • memory/1324-57-0x00000000002D0000-0x00000000002ED000-memory.dmp

                        • memory/1324-56-0x0000000000A20000-0x0000000000A21000-memory.dmp

                        • memory/1324-54-0x0000000001220000-0x0000000001221000-memory.dmp