xloader | b980dfcce93e9140d8ce71151f2f385026b8cebc195b71055707e1468ad0131b

General

Target

RFQ#.exe
Size

296KB
MD5

3838c43e12f0c22ecf9a9a0c1deb1d30
SHA1

7b9d8e4a093672411f71f1cf6a7fe6803c61773c
SHA256

b980dfcce93e9140d8ce71151f2f385026b8cebc195b71055707e1468ad0131b
SHA512

f0f860a56500b449b29558dc6e8860ce4441cee2612cc22c7cb9aaf5106062e290e3b3313dd0eef55fe1678791992f0502dbda9d0350110b7f7591853445935c

Score

10^/10

xloader unzn loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

unzn

C2

http://www.davanamays.com/unzn/

Decoy

xiulf.com

highcountrymortar.com

523561.com

marketingagency.tools

ganmovie.net

nationaalcontactpunt.com

sirrbter.com

begizas.xyz

missimi-fashion.com

munixc.info

daas.support

spaceworbc.com

faithtruthresolve.com

gymkub.com

thegrayverse.xyz

artisanmakefurniture.com

029tryy.com

ijuubx.biz

iphone13promax.club

techuniversus.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/560-56-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/560-57-0x000000000041D430-mapping.dmp	xloader
behavioral1/memory/560-62-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/788-67-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1072 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

RFQ#.exe

pid process

1408 RFQ#.exe

pid	process
1072	cmd.exe

pid	process
1408	RFQ#.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

RFQ#.exeRFQ#.exewininit.exe

description	pid	process	target process
PID 1408 set thread context of 560	1408	RFQ#.exe	RFQ#.exe
PID 560 set thread context of 1336	560	RFQ#.exe	Explorer.EXE
PID 560 set thread context of 1336	560	RFQ#.exe	Explorer.EXE
PID 788 set thread context of 1336	788	wininit.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

RFQ#.exewininit.exe

pid	process
560	RFQ#.exe
560	RFQ#.exe
560	RFQ#.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe
788	wininit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1336 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RFQ#.exewininit.exe

pid process

560 RFQ#.exe
560 RFQ#.exe
560 RFQ#.exe
560 RFQ#.exe
788 wininit.exe
788 wininit.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RFQ#.exewininit.exe

description pid process

Token: SeDebugPrivilege 560 RFQ#.exe
Token: SeDebugPrivilege 788 wininit.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1336 Explorer.EXE
1336 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1336 Explorer.EXE
1336 Explorer.EXE

pid	process
1336	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	560	RFQ#.exe
Token: SeDebugPrivilege	788	wininit.exe

pid	process
1336	Explorer.EXE
1336	Explorer.EXE

pid	process
1336	Explorer.EXE
1336	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

RFQ#.exeExplorer.EXEwininit.exe

description	pid	process	target process
PID 1408 wrote to memory of 560	1408	RFQ#.exe	RFQ#.exe
PID 1408 wrote to memory of 560	1408	RFQ#.exe	RFQ#.exe
PID 1408 wrote to memory of 560	1408	RFQ#.exe	RFQ#.exe
PID 1408 wrote to memory of 560	1408	RFQ#.exe	RFQ#.exe
PID 1408 wrote to memory of 560	1408	RFQ#.exe	RFQ#.exe
PID 1408 wrote to memory of 560	1408	RFQ#.exe	RFQ#.exe
PID 1408 wrote to memory of 560	1408	RFQ#.exe	RFQ#.exe
PID 1336 wrote to memory of 788	1336	Explorer.EXE	wininit.exe
PID 1336 wrote to memory of 788	1336	Explorer.EXE	wininit.exe
PID 1336 wrote to memory of 788	1336	Explorer.EXE	wininit.exe
PID 1336 wrote to memory of 788	1336	Explorer.EXE	wininit.exe
PID 788 wrote to memory of 1072	788	wininit.exe	cmd.exe
PID 788 wrote to memory of 1072	788	wininit.exe	cmd.exe
PID 788 wrote to memory of 1072	788	wininit.exe	cmd.exe
PID 788 wrote to memory of 1072	788	wininit.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Local\Temp\RFQ#.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ#.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\RFQ#.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ#.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:572

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1484

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RFQ#.exe"
3⤵
- Deletes itself
PID:1072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy2991.tmp\qdubg.dll
MD5
55a776d0472c31ed04059c11c38d7953

SHA1
ffaf336496a3f5333eb50347d22f58aa167f6dfe

SHA256
19ee07473845faf92de1dc004133078ed730a9ca95a577a0300e9b3a4384a448

SHA512
2e221116a744682de53ca10eb9aed09d703ffd19e8140936be98900293eb74fcbb295bc32817b712a7c1ad6d3ea946374b96e0ad758b7c88dbfa15e25a5eb071

Download Submit
memory/560-63-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/560-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/560-57-0x000000000041D430-mapping.dmp

Download
memory/560-60-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/560-59-0x0000000000800000-0x0000000000B03000-memory.dmp

Filesize
3.0MB

Download
memory/560-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/788-66-0x0000000000E40000-0x0000000000E5A000-memory.dmp

Filesize
104KB

Download
memory/788-65-0x0000000000000000-mapping.dmp

Download
memory/788-67-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/788-69-0x00000000009E0000-0x0000000000CE3000-memory.dmp

Filesize
3.0MB

Download
memory/788-70-0x00000000008B0000-0x0000000000940000-memory.dmp

Filesize
576KB

Download
memory/1072-68-0x0000000000000000-mapping.dmp

Download
memory/1336-61-0x00000000068F0000-0x0000000006A5A000-memory.dmp

Filesize
1.4MB

Download
memory/1336-64-0x0000000007050000-0x00000000071DF000-memory.dmp

Filesize
1.6MB

Download
memory/1336-71-0x0000000004A20000-0x0000000004ACE000-memory.dmp

Filesize
696KB

Download
memory/1408-54-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads