xloader | dd07d6d24f528663fa5cb854c523d5ba2b096a9b3dc23b466cef94355f0cdec9

General

Target

NEW ORDER 2021.exe
Size

307KB
MD5

e6bd805df7bb8a90503c4b1f5784bd3c
SHA1

51d0e6942ca0732c5a3f2e2876d9216236bfc178
SHA256

dd07d6d24f528663fa5cb854c523d5ba2b096a9b3dc23b466cef94355f0cdec9
SHA512

f715ddcf9c169cbb2073f7e80afc151c09605717202da13b3eb40841077c2bbbbea4b996b13ca31abd1d6f38e89e583de9c1db7ad908ff5245299e95cc0625a5

Score

10^/10

xloader b2c0 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b2c0

C2

http://www.thesewhitevvalls.com/b2c0/

Decoy

bjyxszd520.xyz

hsvfingerprinting.com

elliotpioneer.com

bf396.com

chinaopedia.com

6233v.com

shopeuphoricapparel.com

loccssol.store

truefictionpictures.com

playstarexch.com

peruviancoffee.store

shobhajoshi.com

philme.net

avito-rules.com

independencehomecenters.com

atp-cayenne.com

invetorsbank.com

sasanos.com

scentfreebnb.com

catfuid.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3512-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3512-117-0x000000000041D4C0-mapping.dmp	xloader
behavioral2/memory/3512-122-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/592-127-0x0000000000BA0000-0x0000000000BC9000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

NEW ORDER 2021.exe

pid process

3924 NEW ORDER 2021.exe

pid	process
3924	NEW ORDER 2021.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

NEW ORDER 2021.exeNEW ORDER 2021.exewlanext.exe

description	pid	process	target process
PID 3924 set thread context of 3512	3924	NEW ORDER 2021.exe	NEW ORDER 2021.exe
PID 3512 set thread context of 3032	3512	NEW ORDER 2021.exe	Explorer.EXE
PID 3512 set thread context of 3032	3512	NEW ORDER 2021.exe	Explorer.EXE
PID 592 set thread context of 3032	592	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

NEW ORDER 2021.exewlanext.exe

pid	process
3512	NEW ORDER 2021.exe
3512	NEW ORDER 2021.exe
3512	NEW ORDER 2021.exe
3512	NEW ORDER 2021.exe
3512	NEW ORDER 2021.exe
3512	NEW ORDER 2021.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe
592	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3032 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

NEW ORDER 2021.exewlanext.exe

pid process

3512 NEW ORDER 2021.exe
3512 NEW ORDER 2021.exe
3512 NEW ORDER 2021.exe
3512 NEW ORDER 2021.exe
592 wlanext.exe
592 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

NEW ORDER 2021.exewlanext.exe

description pid process

Token: SeDebugPrivilege 3512 NEW ORDER 2021.exe
Token: SeDebugPrivilege 592 wlanext.exe

pid	process
3032	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3512	NEW ORDER 2021.exe
Token: SeDebugPrivilege	592	wlanext.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

NEW ORDER 2021.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 3924 wrote to memory of 3512	3924	NEW ORDER 2021.exe	NEW ORDER 2021.exe
PID 3924 wrote to memory of 3512	3924	NEW ORDER 2021.exe	NEW ORDER 2021.exe
PID 3924 wrote to memory of 3512	3924	NEW ORDER 2021.exe	NEW ORDER 2021.exe
PID 3924 wrote to memory of 3512	3924	NEW ORDER 2021.exe	NEW ORDER 2021.exe
PID 3924 wrote to memory of 3512	3924	NEW ORDER 2021.exe	NEW ORDER 2021.exe
PID 3924 wrote to memory of 3512	3924	NEW ORDER 2021.exe	NEW ORDER 2021.exe
PID 3032 wrote to memory of 592	3032	Explorer.EXE	wlanext.exe
PID 3032 wrote to memory of 592	3032	Explorer.EXE	wlanext.exe
PID 3032 wrote to memory of 592	3032	Explorer.EXE	wlanext.exe
PID 592 wrote to memory of 60	592	wlanext.exe	cmd.exe
PID 592 wrote to memory of 60	592	wlanext.exe	cmd.exe
PID 592 wrote to memory of 60	592	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\NEW ORDER 2021.exe
"C:\Users\Admin\AppData\Local\Temp\NEW ORDER 2021.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3924

C:\Users\Admin\AppData\Local\Temp\NEW ORDER 2021.exe
"C:\Users\Admin\AppData\Local\Temp\NEW ORDER 2021.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:660

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\NEW ORDER 2021.exe"
3⤵
PID:60

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsqB901.tmp\qyspb.dll
MD5
22a23f902e2e0860cf41e1534461282d

SHA1
290d37c360cbcd823a43be36b92d84cd2e69f9fe

SHA256
7038059f5e4caa6f5c64129f562cc7d406859c66bf5cee59025c0afc7ca80c66

SHA512
ad766d2d8ca97e8703ee93a7a0557d32909c7014ae3f438a9327d9b204f099ca83a5831b797a425393711075f3a773c662b4e21e13e7051ad093f0cefab65df6

Download Submit
memory/60-128-0x0000000000000000-mapping.dmp

Download
memory/592-130-0x0000000003350000-0x00000000033E0000-memory.dmp

Filesize
576KB

Download
memory/592-129-0x00000000034F0000-0x0000000003810000-memory.dmp

Filesize
3.1MB

Download
memory/592-127-0x0000000000BA0000-0x0000000000BC9000-memory.dmp

Filesize
164KB

Download
memory/592-126-0x0000000001330000-0x0000000001347000-memory.dmp

Filesize
92KB

Download
memory/592-125-0x0000000000000000-mapping.dmp

Download
memory/3032-124-0x0000000005E60000-0x0000000005FE5000-memory.dmp

Filesize
1.5MB

Download
memory/3032-121-0x0000000005BE0000-0x0000000005D76000-memory.dmp

Filesize
1.6MB

Download
memory/3032-131-0x00000000024C0000-0x0000000002566000-memory.dmp

Filesize
664KB

Download
memory/3512-123-0x0000000000A20000-0x0000000000A31000-memory.dmp

Filesize
68KB

Download
memory/3512-122-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3512-120-0x00000000009D0000-0x00000000009E1000-memory.dmp

Filesize
68KB

Download
memory/3512-119-0x0000000000A70000-0x0000000000D90000-memory.dmp

Filesize
3.1MB

Download
memory/3512-117-0x000000000041D4C0-mapping.dmp

Download
memory/3512-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads