xloader | 18e91cbaa2d04fa969e97e947ccd011d494f68eb6375b067f0342a7765fb3119

Analysis

max time kernel
149s
max time network
150s
platform
windows10_x64
resource
win10-en-20211014
submitted
21-10-2021 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QUOTATION.exe
Size

253KB
MD5

cadf879ded4e6a753d7b172b77bce50d
SHA1

ab4f8431c170d75040d8b2984f5e7eadeeeedab9
SHA256

18e91cbaa2d04fa969e97e947ccd011d494f68eb6375b067f0342a7765fb3119
SHA512

c685444886b555978228cd2fb47b0725b25443b8fcd19be70f804a5bf433ebc9a35291ea33edf6fcc9030fcd26a89009a3b223c39432a001842494b20bf5f5d7

Score

10^/10

xloader d6pu loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

d6pu

http://www.bonitaspringshomesearch.com/d6pu/

Decoy

ifixcreditatl.com

productgeekout.com

electricvehicle-insurance.com

kuiper.business

cloudenglabs.com

gorbepari.com

collecthappy.com

amykrussell.store

clubhousebusinesscourse.com

aplussinifiklima.com

slewis.design

atticwitt.com

galenota.com

griphook.xyz

gsjbd1.club

bootystrapfitness.com

emflawrhks.com

alternativedata.investments

eyehealthtnpasumo3.xyz

naturanzaec.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3652-117-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3652-118-0x000000000041D4E0-mapping.dmp	xloader
behavioral2/memory/3652-123-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1180-129-0x00000000032D0000-0x00000000032F9000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

QUOTATION.exe

pid process

1132 QUOTATION.exe

pid	process
1132	QUOTATION.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

QUOTATION.exeQUOTATION.exeNETSTAT.EXE

description	pid	process	target process
PID 1132 set thread context of 3652	1132	QUOTATION.exe	QUOTATION.exe
PID 3652 set thread context of 3028	3652	QUOTATION.exe	Explorer.EXE
PID 3652 set thread context of 3028	3652	QUOTATION.exe	Explorer.EXE
PID 1180 set thread context of 3028	1180	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

1180 NETSTAT.EXE

pid	process
1180	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

QUOTATION.exeNETSTAT.EXE

pid	process
3652	QUOTATION.exe
3652	QUOTATION.exe
3652	QUOTATION.exe
3652	QUOTATION.exe
3652	QUOTATION.exe
3652	QUOTATION.exe
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE
1180	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3028 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

QUOTATION.exeNETSTAT.EXE

pid process

3652 QUOTATION.exe
3652 QUOTATION.exe
3652 QUOTATION.exe
3652 QUOTATION.exe
1180 NETSTAT.EXE
1180 NETSTAT.EXE

pid	process
3028	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

QUOTATION.exeNETSTAT.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3652	QUOTATION.exe
Token: SeDebugPrivilege	1180	NETSTAT.EXE
Token: SeShutdownPrivilege	3028	Explorer.EXE
Token: SeCreatePagefilePrivilege	3028	Explorer.EXE
Token: SeShutdownPrivilege	3028	Explorer.EXE
Token: SeCreatePagefilePrivilege	3028	Explorer.EXE
Token: SeShutdownPrivilege	3028	Explorer.EXE
Token: SeCreatePagefilePrivilege	3028	Explorer.EXE
Token: SeShutdownPrivilege	3028	Explorer.EXE
Token: SeCreatePagefilePrivilege	3028	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

QUOTATION.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1132 wrote to memory of 3652	1132	QUOTATION.exe	QUOTATION.exe
PID 1132 wrote to memory of 3652	1132	QUOTATION.exe	QUOTATION.exe
PID 1132 wrote to memory of 3652	1132	QUOTATION.exe	QUOTATION.exe
PID 1132 wrote to memory of 3652	1132	QUOTATION.exe	QUOTATION.exe
PID 1132 wrote to memory of 3652	1132	QUOTATION.exe	QUOTATION.exe
PID 1132 wrote to memory of 3652	1132	QUOTATION.exe	QUOTATION.exe
PID 3028 wrote to memory of 1180	3028	Explorer.EXE	NETSTAT.EXE
PID 3028 wrote to memory of 1180	3028	Explorer.EXE	NETSTAT.EXE
PID 3028 wrote to memory of 1180	3028	Explorer.EXE	NETSTAT.EXE
PID 1180 wrote to memory of 1364	1180	NETSTAT.EXE	cmd.exe
PID 1180 wrote to memory of 1364	1180	NETSTAT.EXE	cmd.exe
PID 1180 wrote to memory of 1364	1180	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
3⤵
PID:1364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nslD3CC.tmp\zntsolrgxs.dll
MD5
fe76b0ef249aebd98f82d6437721c047

SHA1
b1d40595e05da9c6f8627885b36177d4ecd54f21

SHA256
39724fa50de7a8937dec84a3f00fe23c9dea895d312bdce8133db18f15ee1a81

SHA512
abff3bc26f23c3c864bca8bb4ef1191278bb88bf5d604db949a822fc98525bcecdc21acceffbca1aae5557c8a13e9e15092837bc1c16b3ec2d03c6b3fc8fd725

Download Submit
memory/1180-128-0x00000000000B0000-0x00000000000BB000-memory.dmp

Filesize
44KB

Download
memory/1180-126-0x0000000000000000-mapping.dmp

Download
memory/1180-129-0x00000000032D0000-0x00000000032F9000-memory.dmp

Filesize
164KB

Download
memory/1180-131-0x0000000003830000-0x00000000038C0000-memory.dmp

Filesize
576KB

Download
memory/1180-130-0x0000000003480000-0x00000000037A0000-memory.dmp

Filesize
3.1MB

Download
memory/1364-127-0x0000000000000000-mapping.dmp

Download
memory/3028-172-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/3028-135-0x0000000000750000-0x0000000000760000-memory.dmp

Filesize
64KB

Download
memory/3028-222-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-177-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-132-0x0000000002700000-0x00000000027D9000-memory.dmp

Filesize
868KB

Download
memory/3028-134-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/3028-133-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/3028-176-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-136-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/3028-138-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/3028-137-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-139-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/3028-140-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-141-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/3028-142-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-143-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-144-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-145-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-146-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/3028-147-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/3028-148-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-149-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/3028-150-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/3028-151-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-152-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-153-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-154-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-155-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-156-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/3028-179-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-158-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-159-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-160-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-161-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-163-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-162-0x0000000000750000-0x0000000000760000-memory.dmp

Filesize
64KB

Download
memory/3028-165-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-164-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/3028-166-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-167-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-169-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-168-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-171-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-170-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/3028-173-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-122-0x0000000005D30000-0x0000000005E5F000-memory.dmp

Filesize
1.2MB

Download
memory/3028-174-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-175-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-125-0x0000000006750000-0x0000000006879000-memory.dmp

Filesize
1.2MB

Download
memory/3028-220-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-157-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/3028-178-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/3028-181-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-180-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-182-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-183-0x0000000000750000-0x0000000000760000-memory.dmp

Filesize
64KB

Download
memory/3028-184-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-185-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-186-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-187-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-188-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-189-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-190-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-191-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/3028-192-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/3028-193-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-194-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-195-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-196-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-197-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-198-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/3028-199-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/3028-200-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-201-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-202-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-203-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-205-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-204-0x0000000000750000-0x0000000000760000-memory.dmp

Filesize
64KB

Download
memory/3028-207-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-206-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-209-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-208-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-211-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-210-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-213-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-212-0x00000000007C0000-0x00000000007D0000-memory.dmp

Filesize
64KB

Download
memory/3028-215-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-214-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-217-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-216-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-218-0x00000000007C0000-0x00000000007D0000-memory.dmp

Filesize
64KB

Download
memory/3028-219-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3028-221-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3652-118-0x000000000041D4E0-mapping.dmp

Download
memory/3652-117-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3652-120-0x0000000000AB0000-0x0000000000DD0000-memory.dmp

Filesize
3.1MB

Download
memory/3652-121-0x00000000009F0000-0x0000000000A01000-memory.dmp

Filesize
68KB

Download
memory/3652-123-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3652-124-0x0000000000A30000-0x0000000000A41000-memory.dmp

Filesize
68KB

Download