xloader | e7ebd0f6e974c862ca13950fc1ba1c63a45af6af39fc757a2d07896bb566deb9

General

Target

Potvrda narudzbe je u prilogu.exe
Size

1017KB
MD5

d1fba67f9bf438b8678a2a5d27091658
SHA1

3723e2f1964c30c891c920a602447d65d1e43b52
SHA256

4060e631308ba8b6a91a0c9c567296b39f5bf2e041f3f822fdaaba5c83a37a59
SHA512

8bd2c5330f6687d67d4057fcb613482d396cbcef4b1f9efd4b60d1edfb14504c357b3ccdfbcc589af5086258ac92826a7fb6fcd94ca0ad2e34ce37a46581a860

Score

10^/10

xloader pvxz loader persistence rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pvxz

C2

http://www.finetipster.com/pvxz/

Decoy

imt-token.club

abravewayocen.online

shcloudcar.com

mshoppingworld.online

ncgf08.xyz

stuinfo.xyz

wesavetheplanetofficial.com

tourbox.xyz

believeinyourselftraining.com

jsboyat.com

aaeconomy.info

9etmorea.info

purosepeti7.com

goticketly.com

pinkmemorypt.com

mylifewellnesscentre.com

iridina.online

petrestore.online

neema.xyz

novelfooditalia.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3084-120-0x0000000000000000-mapping.dmp	xloader
behavioral2/memory/3084-122-0x0000000072480000-0x00000000724A9000-memory.dmp	xloader
behavioral2/memory/2896-130-0x0000000000600000-0x0000000000629000-memory.dmp	xloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Potvrda narudzbe je u prilogu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dnynij = "C:\\Users\\Public\\Libraries\\\\jinynD.url"	Potvrda narudzbe je u prilogu.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

logagent.exeraserver.exe

description	pid	process	target process
PID 3084 set thread context of 3040	3084	logagent.exe	Explorer.EXE
PID 2896 set thread context of 3040	2896	raserver.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

logagent.exeraserver.exe

pid	process
3084	logagent.exe
3084	logagent.exe
3084	logagent.exe
3084	logagent.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe
2896	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3040 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

logagent.exeraserver.exe

pid process

3084 logagent.exe
3084 logagent.exe
3084 logagent.exe
2896 raserver.exe
2896 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

logagent.exeraserver.exe

description pid process

Token: SeDebugPrivilege 3084 logagent.exe
Token: SeDebugPrivilege 2896 raserver.exe

pid	process
3040	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3084	logagent.exe
Token: SeDebugPrivilege	2896	raserver.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Potvrda narudzbe je u prilogu.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 2436 wrote to memory of 3084	2436	Potvrda narudzbe je u prilogu.exe	logagent.exe
PID 2436 wrote to memory of 3084	2436	Potvrda narudzbe je u prilogu.exe	logagent.exe
PID 2436 wrote to memory of 3084	2436	Potvrda narudzbe je u prilogu.exe	logagent.exe
PID 2436 wrote to memory of 3084	2436	Potvrda narudzbe je u prilogu.exe	logagent.exe
PID 2436 wrote to memory of 3084	2436	Potvrda narudzbe je u prilogu.exe	logagent.exe
PID 2436 wrote to memory of 3084	2436	Potvrda narudzbe je u prilogu.exe	logagent.exe
PID 3040 wrote to memory of 2896	3040	Explorer.EXE	raserver.exe
PID 3040 wrote to memory of 2896	3040	Explorer.EXE	raserver.exe
PID 3040 wrote to memory of 2896	3040	Explorer.EXE	raserver.exe
PID 2896 wrote to memory of 3724	2896	raserver.exe	cmd.exe
PID 2896 wrote to memory of 3724	2896	raserver.exe	cmd.exe
PID 2896 wrote to memory of 3724	2896	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\Potvrda narudzbe je u prilogu.exe
"C:\Users\Admin\AppData\Local\Temp\Potvrda narudzbe je u prilogu.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3296

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1284

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1132

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:292

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:844

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:944

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1336

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1972

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2292

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2512

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\logagent.exe"
3⤵
PID:3724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2436-119-0x0000000002131000-0x0000000002145000-memory.dmp

Filesize
80KB

Download
memory/2436-118-0x0000000000660000-0x00000000007AA000-memory.dmp

Filesize
1.3MB

Download
memory/2896-129-0x0000000001220000-0x000000000123F000-memory.dmp

Filesize
124KB

Download
memory/2896-132-0x0000000000D00000-0x0000000000D90000-memory.dmp

Filesize
576KB

Download
memory/2896-131-0x0000000000EB0000-0x00000000011D0000-memory.dmp

Filesize
3.1MB

Download
memory/2896-130-0x0000000000600000-0x0000000000629000-memory.dmp

Filesize
164KB

Download
memory/2896-127-0x0000000000000000-mapping.dmp

Download
memory/3040-133-0x0000000006AD0000-0x0000000006C4E000-memory.dmp

Filesize
1.5MB

Download
memory/3040-126-0x0000000006930000-0x0000000006ACE000-memory.dmp

Filesize
1.6MB

Download
memory/3084-125-0x0000000004550000-0x0000000004561000-memory.dmp

Filesize
68KB

Download
memory/3084-124-0x0000000004670000-0x0000000004990000-memory.dmp

Filesize
3.1MB

Download
memory/3084-121-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/3084-122-0x0000000072480000-0x00000000724A9000-memory.dmp

Filesize
164KB

Download
memory/3084-120-0x0000000000000000-mapping.dmp

Download
memory/3724-128-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads