xloader | 014d0ece0d472eaea73698d634308303ddb9f227f39d339a66416c3cb744d2c1

General

Target

Payment Confirmation.exe
Size

445KB
MD5

98ffc3c812e6cec919ebd286973e2002
SHA1

b0d1a65445a7923870ad23ec4d80f592e808c987
SHA256

014d0ece0d472eaea73698d634308303ddb9f227f39d339a66416c3cb744d2c1
SHA512

5875f8f2c736cbf501c25635f5c9014e499a7fce01f139315cbf5c0d3c45e1e8568a9fa8ddfe60cb0a44804a7677fdcd411eab4be6177926649b1b691d97a721

Score

10^/10

xloader b2c0 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b2c0

C2

http://www.thesewhitevvalls.com/b2c0/

Decoy

bjyxszd520.xyz

hsvfingerprinting.com

elliotpioneer.com

bf396.com

chinaopedia.com

6233v.com

shopeuphoricapparel.com

loccssol.store

truefictionpictures.com

playstarexch.com

peruviancoffee.store

shobhajoshi.com

philme.net

avito-rules.com

independencehomecenters.com

atp-cayenne.com

invetorsbank.com

sasanos.com

scentfreebnb.com

catfuid.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3852-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3852-117-0x000000000041D4C0-mapping.dmp	xloader
behavioral2/memory/1572-127-0x00000000004C0000-0x00000000004E9000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

Payment Confirmation.exe

pid process

1844 Payment Confirmation.exe

pid	process
1844	Payment Confirmation.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Payment Confirmation.exePayment Confirmation.exemsiexec.exe

description	pid	process	target process
PID 1844 set thread context of 3852	1844	Payment Confirmation.exe	Payment Confirmation.exe
PID 3852 set thread context of 2848	3852	Payment Confirmation.exe	Explorer.EXE
PID 1572 set thread context of 2848	1572	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

Payment Confirmation.exemsiexec.exe

pid	process
3852	Payment Confirmation.exe
3852	Payment Confirmation.exe
3852	Payment Confirmation.exe
3852	Payment Confirmation.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe
1572	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2848 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Payment Confirmation.exemsiexec.exe

pid process

3852 Payment Confirmation.exe
3852 Payment Confirmation.exe
3852 Payment Confirmation.exe
1572 msiexec.exe
1572 msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Payment Confirmation.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 3852 Payment Confirmation.exe
Token: SeDebugPrivilege 1572 msiexec.exe

pid	process
2848	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3852	Payment Confirmation.exe
Token: SeDebugPrivilege	1572	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Payment Confirmation.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 1844 wrote to memory of 3852	1844	Payment Confirmation.exe	Payment Confirmation.exe
PID 1844 wrote to memory of 3852	1844	Payment Confirmation.exe	Payment Confirmation.exe
PID 1844 wrote to memory of 3852	1844	Payment Confirmation.exe	Payment Confirmation.exe
PID 1844 wrote to memory of 3852	1844	Payment Confirmation.exe	Payment Confirmation.exe
PID 1844 wrote to memory of 3852	1844	Payment Confirmation.exe	Payment Confirmation.exe
PID 1844 wrote to memory of 3852	1844	Payment Confirmation.exe	Payment Confirmation.exe
PID 2848 wrote to memory of 1572	2848	Explorer.EXE	msiexec.exe
PID 2848 wrote to memory of 1572	2848	Explorer.EXE	msiexec.exe
PID 2848 wrote to memory of 1572	2848	Explorer.EXE	msiexec.exe
PID 1572 wrote to memory of 1768	1572	msiexec.exe	cmd.exe
PID 1572 wrote to memory of 1768	1572	msiexec.exe	cmd.exe
PID 1572 wrote to memory of 1768	1572	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2848

C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:8

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"
3⤵
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsvAB84.tmp\nawgsdqut.dll
MD5
d4233fefc9328cc30b0ef014beb2f51b

SHA1
302180a5edb1fd653d7884bb60172e6edfbbeac4

SHA256
1827a3002964434b0acff1359241948e334148d3413312cfea326cae8f269758

SHA512
b3e19c83e631b6a8b8b0d00ab14af811519765b737f1497f27e8c3a8c3328038967dbb6095671e4095af48d6355b5f13cec20c38ef2dfb14cc2ae8e9482de4af

Download Submit
memory/1572-124-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1572-129-0x0000000004190000-0x0000000004220000-memory.dmp

Filesize
576KB

Download
memory/1572-126-0x00000000009D0000-0x00000000009E2000-memory.dmp

Filesize
72KB

Download
memory/1572-128-0x0000000004330000-0x0000000004650000-memory.dmp

Filesize
3.1MB

Download
memory/1572-127-0x00000000004C0000-0x00000000004E9000-memory.dmp

Filesize
164KB

Download
memory/1572-122-0x0000000000000000-mapping.dmp

Download
memory/1572-123-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1768-125-0x0000000000000000-mapping.dmp

Download
memory/2848-121-0x00000000027D0000-0x00000000028B5000-memory.dmp

Filesize
916KB

Download
memory/2848-130-0x0000000002980000-0x0000000002A39000-memory.dmp

Filesize
740KB

Download
memory/3852-120-0x00000000009F0000-0x0000000000A01000-memory.dmp

Filesize
68KB

Download
memory/3852-119-0x0000000000A30000-0x0000000000D50000-memory.dmp

Filesize
3.1MB

Download
memory/3852-117-0x000000000041D4C0-mapping.dmp

Download
memory/3852-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads