xloader | 60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68

General

Target

60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe
Size

1005KB
MD5

ab88797a02acd0499d33fcaa807f46cd
SHA1

04ca9bc69e500239d677d46d2e53a9ef5fc69f41
SHA256

60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68
SHA512

61c5c1d00bcc9f9986f7da0873fc4d74d55f5abf07d6eeddfe4f787ce1b40f98bfeb86d95da968858a79d2f03340ebf538c5711b1485800fa2958a0e4221e365

Score

10^/10

xloader rqan loader persistence rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

rqan

C2

http://www.cardboutiqueapp.com/rqan/

Decoy

panda.wiki

gailkannamassage.com

ungravitystudio.com

coraggiomusicschool.com

51walkerstreetrippleside.com

infemax.store

mapara-foundation.net

elitespeedwaxs.com

manateeprint.com

thelocksmithtradeshow.com

phoenix-out-of-ashes.com

marionkgregory.store

abasketofwords.com

century21nokta.com

anthonyaarnold.com

forevermyanmar.com

ramashi.com

uniquecarbonbrush.com

packecco.com

appelnacrtl.quest

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3944-117-0x0000000000000000-mapping.dmp	xloader
behavioral1/memory/3944-119-0x0000000073F00000-0x0000000073F29000-memory.dmp	xloader
behavioral1/memory/3264-126-0x0000000003390000-0x00000000033B9000-memory.dmp	xloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Evjvfh = "C:\\Users\\Public\\Libraries\\\\hfvjvE.url"	60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

logagent.execscript.exe

description	pid	process	target process
PID 3944 set thread context of 3008	3944	logagent.exe	Explorer.EXE
PID 3264 set thread context of 3008	3264	cscript.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

logagent.execscript.exe

pid	process
3944	logagent.exe
3944	logagent.exe
3944	logagent.exe
3944	logagent.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe
3264	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3008 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

logagent.execscript.exe

pid process

3944 logagent.exe
3944 logagent.exe
3944 logagent.exe
3264 cscript.exe
3264 cscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

logagent.execscript.exe

description pid process

Token: SeDebugPrivilege 3944 logagent.exe
Token: SeDebugPrivilege 3264 cscript.exe

pid	process
3008	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3944	logagent.exe
Token: SeDebugPrivilege	3264	cscript.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exeExplorer.EXE

description	pid	process	target process
PID 2096 wrote to memory of 3944	2096	60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe	logagent.exe
PID 2096 wrote to memory of 3944	2096	60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe	logagent.exe
PID 2096 wrote to memory of 3944	2096	60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe	logagent.exe
PID 2096 wrote to memory of 3944	2096	60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe	logagent.exe
PID 2096 wrote to memory of 3944	2096	60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe	logagent.exe
PID 2096 wrote to memory of 3944	2096	60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe	logagent.exe
PID 3008 wrote to memory of 3264	3008	Explorer.EXE	cscript.exe
PID 3008 wrote to memory of 3264	3008	Explorer.EXE	cscript.exe
PID 3008 wrote to memory of 3264	3008	Explorer.EXE	cscript.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe
"C:\Users\Admin\AppData\Local\Temp\60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2096-116-0x0000000002A11000-0x0000000002A25000-memory.dmp

Filesize
80KB

Download
memory/2096-115-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3008-129-0x00000000053E0000-0x000000000556C000-memory.dmp

Filesize
1.5MB

Download
memory/3008-123-0x0000000002C70000-0x0000000002D3B000-memory.dmp

Filesize
812KB

Download
memory/3264-126-0x0000000003390000-0x00000000033B9000-memory.dmp

Filesize
164KB

Download
memory/3264-128-0x0000000004DF0000-0x0000000004E80000-memory.dmp

Filesize
576KB

Download
memory/3264-125-0x00000000009F0000-0x0000000000A17000-memory.dmp

Filesize
156KB

Download
memory/3264-127-0x0000000004A40000-0x0000000004D60000-memory.dmp

Filesize
3.1MB

Download
memory/3264-124-0x0000000000000000-mapping.dmp

Download
memory/3944-119-0x0000000073F00000-0x0000000073F29000-memory.dmp

Filesize
164KB

Download
memory/3944-121-0x0000000004E20000-0x0000000005140000-memory.dmp

Filesize
3.1MB

Download
memory/3944-122-0x0000000004BD0000-0x0000000004BE1000-memory.dmp

Filesize
68KB

Download
memory/3944-118-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download
memory/3944-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads