xloader | d8b561c208cf5d6425814ba4b685a6b80816715a804aec36dffe3e0bc29e73fa

General

Target

New order 7nbm471.exe
Size

287KB
MD5

799da86c201ef4652c1f8ca1ce49373f
SHA1

dec072bcf61ecccef4d330ec0fd70823994bd3b9
SHA256

253a4d6b49703d6dfbf3aeadd226ea692997edfb4bd0df7c6e97b7cffd1ef2f2
SHA512

f7cac00d671c31558de18b548fc994d4ad7bbbcd583b5a62840bb97e67f55cec429ae6ad42f0b23ac0f857b201d230ddd776a8b6757f335111707878c201b6a7

Score

10^/10

xloader u9xn loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u9xn

C2

http://www.crisisinterventionadvocates.com/u9xn/

Decoy

lifeguardingcoursenearme.com

bolsaspapelcdmx.com

parsleypkllqu.xyz

68134.online

shopthatlookboutique.com

canlibahisportal.com

oligopoly.city

srchwithus.online

151motors.com

17yue.info

auntmarysnj.com

hanansalman.com

heyunshangcheng.info

doorslamersplus.com

sfcn-dng.com

highvizpeople.com

seoexpertinbangladesh.com

christinegagnonjewellery.com

artifactorie.biz

mre3.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1160-57-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1160-58-0x000000000041D4F0-mapping.dmp	xloader
behavioral1/memory/1160-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1892-70-0x0000000000090000-0x00000000000B9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1116 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

New order 7nbm471.exe

pid process

1696 New order 7nbm471.exe

pid	process
1116	cmd.exe

pid	process
1696	New order 7nbm471.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

New order 7nbm471.exeNew order 7nbm471.exerundll32.exe

description	pid	process	target process
PID 1696 set thread context of 1160	1696	New order 7nbm471.exe	New order 7nbm471.exe
PID 1160 set thread context of 1212	1160	New order 7nbm471.exe	Explorer.EXE
PID 1160 set thread context of 1212	1160	New order 7nbm471.exe	Explorer.EXE
PID 1892 set thread context of 1212	1892	rundll32.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Program Files (x86)\Lxtkd\Cookies_nu0.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files (x86)\Lxtkd\Cookies_nu0.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

New order 7nbm471.exerundll32.exe

pid	process
1160	New order 7nbm471.exe
1160	New order 7nbm471.exe
1160	New order 7nbm471.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe
1892	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

New order 7nbm471.exerundll32.exe

pid process

1160 New order 7nbm471.exe
1160 New order 7nbm471.exe
1160 New order 7nbm471.exe
1160 New order 7nbm471.exe
1892 rundll32.exe
1892 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

New order 7nbm471.exerundll32.exe

description pid process

Token: SeDebugPrivilege 1160 New order 7nbm471.exe
Token: SeDebugPrivilege 1892 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE

pid	process
1212	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1160	New order 7nbm471.exe
Token: SeDebugPrivilege	1892	rundll32.exe

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

New order 7nbm471.exeNew order 7nbm471.exerundll32.exe

description	pid	process	target process
PID 1696 wrote to memory of 1160	1696	New order 7nbm471.exe	New order 7nbm471.exe
PID 1696 wrote to memory of 1160	1696	New order 7nbm471.exe	New order 7nbm471.exe
PID 1696 wrote to memory of 1160	1696	New order 7nbm471.exe	New order 7nbm471.exe
PID 1696 wrote to memory of 1160	1696	New order 7nbm471.exe	New order 7nbm471.exe
PID 1696 wrote to memory of 1160	1696	New order 7nbm471.exe	New order 7nbm471.exe
PID 1696 wrote to memory of 1160	1696	New order 7nbm471.exe	New order 7nbm471.exe
PID 1696 wrote to memory of 1160	1696	New order 7nbm471.exe	New order 7nbm471.exe
PID 1160 wrote to memory of 1892	1160	New order 7nbm471.exe	rundll32.exe
PID 1160 wrote to memory of 1892	1160	New order 7nbm471.exe	rundll32.exe
PID 1160 wrote to memory of 1892	1160	New order 7nbm471.exe	rundll32.exe
PID 1160 wrote to memory of 1892	1160	New order 7nbm471.exe	rundll32.exe
PID 1160 wrote to memory of 1892	1160	New order 7nbm471.exe	rundll32.exe
PID 1160 wrote to memory of 1892	1160	New order 7nbm471.exe	rundll32.exe
PID 1160 wrote to memory of 1892	1160	New order 7nbm471.exe	rundll32.exe
PID 1892 wrote to memory of 1116	1892	rundll32.exe	cmd.exe
PID 1892 wrote to memory of 1116	1892	rundll32.exe	cmd.exe
PID 1892 wrote to memory of 1116	1892	rundll32.exe	cmd.exe
PID 1892 wrote to memory of 1116	1892	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1212

C:\Users\Admin\AppData\Local\Temp\New order 7nbm471.exe
"C:\Users\Admin\AppData\Local\Temp\New order 7nbm471.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\New order 7nbm471.exe
"C:\Users\Admin\AppData\Local\Temp\New order 7nbm471.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
4⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\New order 7nbm471.exe"
5⤵
- Deletes itself
PID:1116

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1532

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1528

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:580

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:276

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:860

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:600

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:552

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:696

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1764

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1624

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1776

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1752

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1044

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1384

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:824

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1512

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:800

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1004

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:628

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsdBB16.tmp\rcbzyxq.dll
MD5
2a3da24089acc7336f88fee94669c076

SHA1
b75d6f45d201de0ccd0e57995552bf92e89f98ed

SHA256
9e6fe495fbc2d93d6bb59fc2a3a72f6bf580ba4e199e441f09b2ff86db981ec0

SHA512
2a7d011f3a1b05cf83cd8af8ff30bce8cf3bddf5bbad700da6b67be79c44e23f64387ba68e5650fd83125f56b3623aad56d97d75bf24dec890117cf589858ee9

Download Submit
memory/1116-68-0x0000000000000000-mapping.dmp

Download
memory/1160-64-0x00000000005C0000-0x00000000005D1000-memory.dmp

Filesize
68KB

Download
memory/1160-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1160-58-0x000000000041D4F0-mapping.dmp

Download
memory/1160-61-0x0000000000580000-0x0000000000591000-memory.dmp

Filesize
68KB

Download
memory/1160-60-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/1160-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1212-65-0x00000000077C0000-0x00000000078F2000-memory.dmp

Filesize
1.2MB

Download
memory/1212-62-0x0000000006340000-0x0000000006460000-memory.dmp

Filesize
1.1MB

Download
memory/1212-73-0x0000000007980000-0x0000000007ABC000-memory.dmp

Filesize
1.2MB

Download
memory/1696-55-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1892-66-0x0000000000000000-mapping.dmp

Download
memory/1892-69-0x0000000000330000-0x000000000033E000-memory.dmp

Filesize
56KB

Download
memory/1892-70-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/1892-71-0x0000000002280000-0x0000000002583000-memory.dmp

Filesize
3.0MB

Download
memory/1892-72-0x0000000000340000-0x00000000003D0000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads