xloader | 5bb8975c8a7e8080a8a68034458adfb7b8e9812b5a1fdd15f891656b03d086e6

General

Target

Quotation- urgent basis.exe
Size

349KB
MD5

ef946df7574b283bf24b349d2cb679bf
SHA1

5100dfe4456adfd5cea41b5c137ea9e2fd10c7f7
SHA256

5bb8975c8a7e8080a8a68034458adfb7b8e9812b5a1fdd15f891656b03d086e6
SHA512

1a06445a1433fa1701ce6a06b9c3d134f2322dde48994a4ed1d1805fb2b8d49b859d2ffefcfa7f967af49b4f761e2629530e3a37389d271516719b8b43e94108

Score

10^/10

xloader b2c0 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b2c0

C2

http://www.thesewhitevvalls.com/b2c0/

Decoy

bjyxszd520.xyz

hsvfingerprinting.com

elliotpioneer.com

bf396.com

chinaopedia.com

6233v.com

shopeuphoricapparel.com

loccssol.store

truefictionpictures.com

playstarexch.com

peruviancoffee.store

shobhajoshi.com

philme.net

avito-rules.com

independencehomecenters.com

atp-cayenne.com

invetorsbank.com

sasanos.com

scentfreebnb.com

catfuid.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3080-125-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3080-126-0x000000000041D4C0-mapping.dmp	xloader
behavioral2/memory/3080-131-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1796-137-0x0000000000940000-0x0000000000969000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

Processes:

Quotation- urgent basis.exeQuotation- urgent basis.exeraserver.exe

description	pid	process	target process
PID 2548 set thread context of 3080	2548	Quotation- urgent basis.exe	Quotation- urgent basis.exe
PID 3080 set thread context of 3028	3080	Quotation- urgent basis.exe	Explorer.EXE
PID 3080 set thread context of 3028	3080	Quotation- urgent basis.exe	Explorer.EXE
PID 1796 set thread context of 3028	1796	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3020 schtasks.exe

pid	process
3020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

Quotation- urgent basis.exeQuotation- urgent basis.exeraserver.exe

pid	process
2548	Quotation- urgent basis.exe
2548	Quotation- urgent basis.exe
3080	Quotation- urgent basis.exe
3080	Quotation- urgent basis.exe
3080	Quotation- urgent basis.exe
3080	Quotation- urgent basis.exe
3080	Quotation- urgent basis.exe
3080	Quotation- urgent basis.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe
1796	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3028 Explorer.EXE

pid	process
3028	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Quotation- urgent basis.exeraserver.exe

pid	process
3080	Quotation- urgent basis.exe
3080	Quotation- urgent basis.exe
3080	Quotation- urgent basis.exe
3080	Quotation- urgent basis.exe
1796	raserver.exe
1796	raserver.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Quotation- urgent basis.exeQuotation- urgent basis.exeraserver.exe

description	pid	process
Token: SeDebugPrivilege	2548	Quotation- urgent basis.exe
Token: SeDebugPrivilege	3080	Quotation- urgent basis.exe
Token: SeDebugPrivilege	1796	raserver.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Quotation- urgent basis.exeQuotation- urgent basis.exeraserver.exe

description	pid	process	target process
PID 2548 wrote to memory of 3020	2548	Quotation- urgent basis.exe	schtasks.exe
PID 2548 wrote to memory of 3020	2548	Quotation- urgent basis.exe	schtasks.exe
PID 2548 wrote to memory of 3020	2548	Quotation- urgent basis.exe	schtasks.exe
PID 2548 wrote to memory of 3080	2548	Quotation- urgent basis.exe	Quotation- urgent basis.exe
PID 2548 wrote to memory of 3080	2548	Quotation- urgent basis.exe	Quotation- urgent basis.exe
PID 2548 wrote to memory of 3080	2548	Quotation- urgent basis.exe	Quotation- urgent basis.exe
PID 2548 wrote to memory of 3080	2548	Quotation- urgent basis.exe	Quotation- urgent basis.exe
PID 2548 wrote to memory of 3080	2548	Quotation- urgent basis.exe	Quotation- urgent basis.exe
PID 2548 wrote to memory of 3080	2548	Quotation- urgent basis.exe	Quotation- urgent basis.exe
PID 3080 wrote to memory of 1796	3080	Quotation- urgent basis.exe	raserver.exe
PID 3080 wrote to memory of 1796	3080	Quotation- urgent basis.exe	raserver.exe
PID 3080 wrote to memory of 1796	3080	Quotation- urgent basis.exe	raserver.exe
PID 1796 wrote to memory of 1328	1796	raserver.exe	cmd.exe
PID 1796 wrote to memory of 1328	1796	raserver.exe	cmd.exe
PID 1796 wrote to memory of 1328	1796	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3028

C:\Users\Admin\AppData\Local\Temp\Quotation- urgent basis.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation- urgent basis.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tSXhFZeobghlE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp896F.tmp"
3⤵
- Creates scheduled task(s)
PID:3020

C:\Users\Admin\AppData\Local\Temp\Quotation- urgent basis.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation- urgent basis.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
4⤵
PID:500

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Quotation- urgent basis.exe"
5⤵
PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1328-135-0x0000000000000000-mapping.dmp

Download
memory/1796-134-0x0000000000000000-mapping.dmp

Download
memory/1796-139-0x0000000004930000-0x00000000049C0000-memory.dmp

Filesize
576KB

Download
memory/1796-137-0x0000000000940000-0x0000000000969000-memory.dmp

Filesize
164KB

Download
memory/1796-138-0x0000000004AD0000-0x0000000004DF0000-memory.dmp

Filesize
3.1MB

Download
memory/1796-136-0x0000000001380000-0x000000000139F000-memory.dmp

Filesize
124KB

Download
memory/2548-122-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/2548-123-0x0000000007A50000-0x0000000007A9B000-memory.dmp

Filesize
300KB

Download
memory/2548-117-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/2548-118-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/2548-119-0x00000000052D0000-0x00000000057CE000-memory.dmp

Filesize
5.0MB

Download
memory/2548-120-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/2548-121-0x0000000005590000-0x0000000005595000-memory.dmp

Filesize
20KB

Download
memory/2548-115-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/3020-124-0x0000000000000000-mapping.dmp

Download
memory/3028-133-0x0000000006620000-0x0000000006767000-memory.dmp

Filesize
1.3MB

Download
memory/3028-130-0x00000000064C0000-0x0000000006612000-memory.dmp

Filesize
1.3MB

Download
memory/3028-140-0x0000000002BB0000-0x0000000002C92000-memory.dmp

Filesize
904KB

Download
memory/3080-132-0x0000000002DE0000-0x0000000002DF1000-memory.dmp

Filesize
68KB

Download
memory/3080-131-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3080-128-0x0000000000FB0000-0x00000000012D0000-memory.dmp

Filesize
3.1MB

Download
memory/3080-129-0x0000000001480000-0x0000000001491000-memory.dmp

Filesize
68KB

Download
memory/3080-126-0x000000000041D4C0-mapping.dmp

Download
memory/3080-125-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads