xloader | 77abd0b0f20b0ca86c241acf5d5d60188362e75213f894b7bea82c8f75a3c1b1

General

Target

New order payment.exe
Size

248KB
MD5

0c301355b11c3bc570d18b02bb7c99d8
SHA1

b35295390555e6fc0b85d538dafbfb4cf8c68564
SHA256

77abd0b0f20b0ca86c241acf5d5d60188362e75213f894b7bea82c8f75a3c1b1
SHA512

a84f50ca4ab7f2e7d29388dfc3ddd152437ad049a0b61d30462f0a2fcfbc21e0810bd5851bcae172c613eebf8c4c70c5073c3f641beca700acaa6d35582b3e25

Score

10^/10

xloader u9xn loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u9xn

C2

http://www.crisisinterventionadvocates.com/u9xn/

Decoy

lifeguardingcoursenearme.com

bolsaspapelcdmx.com

parsleypkllqu.xyz

68134.online

shopthatlookboutique.com

canlibahisportal.com

oligopoly.city

srchwithus.online

151motors.com

17yue.info

auntmarysnj.com

hanansalman.com

heyunshangcheng.info

doorslamersplus.com

sfcn-dng.com

highvizpeople.com

seoexpertinbangladesh.com

christinegagnonjewellery.com

artifactorie.biz

mre3.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3892-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3892-117-0x000000000041D4F0-mapping.dmp	xloader
behavioral2/memory/2644-125-0x0000000003390000-0x00000000033B9000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

New order payment.exe

pid process

2636 New order payment.exe

pid	process
2636	New order payment.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

New order payment.exeNew order payment.execmd.exe

description	pid	process	target process
PID 2636 set thread context of 3892	2636	New order payment.exe	New order payment.exe
PID 3892 set thread context of 3020	3892	New order payment.exe	Explorer.EXE
PID 2644 set thread context of 3020	2644	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

New order payment.execmd.exe

pid	process
3892	New order payment.exe
3892	New order payment.exe
3892	New order payment.exe
3892	New order payment.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe
2644	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3020 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

New order payment.execmd.exe

pid process

3892 New order payment.exe
3892 New order payment.exe
3892 New order payment.exe
2644 cmd.exe
2644 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

New order payment.execmd.exe

description pid process

Token: SeDebugPrivilege 3892 New order payment.exe
Token: SeDebugPrivilege 2644 cmd.exe

pid	process
3020	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3892	New order payment.exe
Token: SeDebugPrivilege	2644	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

New order payment.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2636 wrote to memory of 3892	2636	New order payment.exe	New order payment.exe
PID 2636 wrote to memory of 3892	2636	New order payment.exe	New order payment.exe
PID 2636 wrote to memory of 3892	2636	New order payment.exe	New order payment.exe
PID 2636 wrote to memory of 3892	2636	New order payment.exe	New order payment.exe
PID 2636 wrote to memory of 3892	2636	New order payment.exe	New order payment.exe
PID 2636 wrote to memory of 3892	2636	New order payment.exe	New order payment.exe
PID 3020 wrote to memory of 2644	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 2644	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 2644	3020	Explorer.EXE	cmd.exe
PID 2644 wrote to memory of 3756	2644	cmd.exe	cmd.exe
PID 2644 wrote to memory of 3756	2644	cmd.exe	cmd.exe
PID 2644 wrote to memory of 3756	2644	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Local\Temp\New order payment.exe
"C:\Users\Admin\AppData\Local\Temp\New order payment.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Local\Temp\New order payment.exe
"C:\Users\Admin\AppData\Local\Temp\New order payment.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\New order payment.exe"
3⤵
PID:3756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsbBAC6.tmp\fsfowpfjd.dll
MD5
6f6e2f6f2744b49b7b411448f0f3eb13

SHA1
942cad5faa2ba6099414609f79b9d54a9b52919c

SHA256
74650c5dcc320e98f88369fd97a4a84f7485160441aa1cc985d2912b3e0dfa00

SHA512
8948c5c1b1010fa38d7be0d0c4ff159939ac44d320e2aea3c9709135ffd79507cd8efd1633dd04aa8efb26efd8ffa1a30a6830f106227d81e8085771d40ffe7b

Download Submit
memory/2644-125-0x0000000003390000-0x00000000033B9000-memory.dmp

Filesize
164KB

Download
memory/2644-122-0x0000000000000000-mapping.dmp

Download
memory/2644-124-0x0000000000E90000-0x0000000000EE9000-memory.dmp

Filesize
356KB

Download
memory/2644-126-0x00000000033C0000-0x000000000350A000-memory.dmp

Filesize
1.3MB

Download
memory/2644-127-0x00000000039F0000-0x0000000003A80000-memory.dmp

Filesize
576KB

Download
memory/3020-121-0x0000000005E40000-0x0000000005F45000-memory.dmp

Filesize
1.0MB

Download
memory/3020-128-0x00000000062E0000-0x00000000063F7000-memory.dmp

Filesize
1.1MB

Download
memory/3756-123-0x0000000000000000-mapping.dmp

Download
memory/3892-117-0x000000000041D4F0-mapping.dmp

Download
memory/3892-120-0x00000000005D0000-0x00000000005E1000-memory.dmp

Filesize
68KB

Download
memory/3892-119-0x0000000000A90000-0x0000000000DB0000-memory.dmp

Filesize
3.1MB

Download
memory/3892-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads