xloader | 776a5c20a347e729fd9fa02388673f3769a4a5aa7d4e44f579c581c9a928e097

General

Target

PO-NOV20211115.exe
Size

4.6MB
MD5

a4830938aeb704c9b11b2261efdef1fc
SHA1

645111b29a544379ee7c15b44ec11fef103158f3
SHA256

776a5c20a347e729fd9fa02388673f3769a4a5aa7d4e44f579c581c9a928e097
SHA512

9c96dd62907d292e45ceb8ccb98af6625d6e97b47ffd46662e3fcf7055a3565ac181a78c748c451a2c295659bad0fda03b19be6f0fcaf9d522003c2b8b5ad324

Score

10^/10

xloader re6p agilenet loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

re6p

C2

http://www.workwithmarym.com/re6p/

Decoy

jedidpress.com

firstimpression.global

iflycny.com

greenandskin.com

tt9577.com

sumidocpa.com

readsprouts.com

heavenlyhighcreations.com

jlhvz.com

ita-web.com

graeds.com

soundtolight.xyz

rajtantra.net

wearinganawesomewoman.store

hrappur.net

wangmiaojf.xyz

youtogo.xyz

mydeadzone.com

qenagypsum.com

kopijhony.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1580-76-0x000000000041D480-mapping.dmp	xloader
behavioral1/memory/1580-78-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader
behavioral1/memory/1952-87-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

bin.exeAddInProcess32.exe

pid process

1560 bin.exe
1580 AddInProcess32.exe
Drops startup file 1 IoCs

Processes:

PO-NOV20211115.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bin.lnk PO-NOV20211115.exe
Loads dropped DLL 2 IoCs

Processes:

PO-NOV20211115.exebin.exe

pid process

1048 PO-NOV20211115.exe
1560 bin.exe

pid	process
1560	bin.exe
1580	AddInProcess32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bin.lnk	PO-NOV20211115.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1048-58-0x0000000000D00000-0x0000000000D21000-memory.dmp	agile_net

Suspicious use of SetThreadContext 3 IoCs

Processes:

bin.exeAddInProcess32.exeexplorer.exe

description	pid	process	target process
PID 1560 set thread context of 1580	1560	bin.exe	AddInProcess32.exe
PID 1580 set thread context of 1220	1580	AddInProcess32.exe	Explorer.EXE
PID 1952 set thread context of 1220	1952	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

PO-NOV20211115.exebin.exeAddInProcess32.exeexplorer.exe

pid	process
1048	PO-NOV20211115.exe
1048	PO-NOV20211115.exe
1048	PO-NOV20211115.exe
1560	bin.exe
1560	bin.exe
1580	AddInProcess32.exe
1580	AddInProcess32.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

AddInProcess32.exeexplorer.exe

pid process

1580 AddInProcess32.exe
1580 AddInProcess32.exe
1580 AddInProcess32.exe
1952 explorer.exe
1952 explorer.exe

pid	process
1580	AddInProcess32.exe
1580	AddInProcess32.exe
1580	AddInProcess32.exe
1952	explorer.exe
1952	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PO-NOV20211115.exebin.exeAddInProcess32.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1048	PO-NOV20211115.exe
Token: SeDebugPrivilege	1560	bin.exe
Token: SeDebugPrivilege	1580	AddInProcess32.exe
Token: SeDebugPrivilege	1952	explorer.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

PO-NOV20211115.exebin.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 1048 wrote to memory of 1560	1048	PO-NOV20211115.exe	bin.exe
PID 1048 wrote to memory of 1560	1048	PO-NOV20211115.exe	bin.exe
PID 1048 wrote to memory of 1560	1048	PO-NOV20211115.exe	bin.exe
PID 1048 wrote to memory of 1560	1048	PO-NOV20211115.exe	bin.exe
PID 1560 wrote to memory of 1580	1560	bin.exe	AddInProcess32.exe
PID 1560 wrote to memory of 1580	1560	bin.exe	AddInProcess32.exe
PID 1560 wrote to memory of 1580	1560	bin.exe	AddInProcess32.exe
PID 1560 wrote to memory of 1580	1560	bin.exe	AddInProcess32.exe
PID 1560 wrote to memory of 1580	1560	bin.exe	AddInProcess32.exe
PID 1560 wrote to memory of 1580	1560	bin.exe	AddInProcess32.exe
PID 1560 wrote to memory of 1580	1560	bin.exe	AddInProcess32.exe
PID 1220 wrote to memory of 1952	1220	Explorer.EXE	explorer.exe
PID 1220 wrote to memory of 1952	1220	Explorer.EXE	explorer.exe
PID 1220 wrote to memory of 1952	1220	Explorer.EXE	explorer.exe
PID 1220 wrote to memory of 1952	1220	Explorer.EXE	explorer.exe
PID 1952 wrote to memory of 1816	1952	explorer.exe	cmd.exe
PID 1952 wrote to memory of 1816	1952	explorer.exe	cmd.exe
PID 1952 wrote to memory of 1816	1952	explorer.exe	cmd.exe
PID 1952 wrote to memory of 1816	1952	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\PO-NOV20211115.exe
"C:\Users\Admin\AppData\Local\Temp\PO-NOV20211115.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\bin.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\bin.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\bin.exe
MD5
a4830938aeb704c9b11b2261efdef1fc

SHA1
645111b29a544379ee7c15b44ec11fef103158f3

SHA256
776a5c20a347e729fd9fa02388673f3769a4a5aa7d4e44f579c581c9a928e097

SHA512
9c96dd62907d292e45ceb8ccb98af6625d6e97b47ffd46662e3fcf7055a3565ac181a78c748c451a2c295659bad0fda03b19be6f0fcaf9d522003c2b8b5ad324

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\bin.exe
MD5
a4830938aeb704c9b11b2261efdef1fc

SHA1
645111b29a544379ee7c15b44ec11fef103158f3

SHA256
776a5c20a347e729fd9fa02388673f3769a4a5aa7d4e44f579c581c9a928e097

SHA512
9c96dd62907d292e45ceb8ccb98af6625d6e97b47ffd46662e3fcf7055a3565ac181a78c748c451a2c295659bad0fda03b19be6f0fcaf9d522003c2b8b5ad324

Download Submit
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\bin.exe
MD5
a4830938aeb704c9b11b2261efdef1fc

SHA1
645111b29a544379ee7c15b44ec11fef103158f3

SHA256
776a5c20a347e729fd9fa02388673f3769a4a5aa7d4e44f579c581c9a928e097

SHA512
9c96dd62907d292e45ceb8ccb98af6625d6e97b47ffd46662e3fcf7055a3565ac181a78c748c451a2c295659bad0fda03b19be6f0fcaf9d522003c2b8b5ad324

Download Submit
memory/1048-57-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/1048-58-0x0000000000D00000-0x0000000000D21000-memory.dmp

Filesize
132KB

Download
memory/1048-59-0x00000000051A1000-0x00000000051A2000-memory.dmp

Filesize
4KB

Download
memory/1048-55-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1220-82-0x0000000006280000-0x00000000063E2000-memory.dmp

Filesize
1.4MB

Download
memory/1220-91-0x0000000003E10000-0x0000000003F13000-memory.dmp

Filesize
1.0MB

Download
memory/1560-64-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1560-70-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/1560-69-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/1560-68-0x0000000004751000-0x0000000004752000-memory.dmp

Filesize
4KB

Download
memory/1560-66-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/1560-61-0x0000000000000000-mapping.dmp

Download
memory/1580-74-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1580-78-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1580-81-0x0000000000210000-0x0000000000221000-memory.dmp

Filesize
68KB

Download
memory/1580-80-0x00000000007C0000-0x0000000000AC3000-memory.dmp

Filesize
3.0MB

Download
memory/1580-76-0x000000000041D480-mapping.dmp

Download
memory/1580-73-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1816-88-0x0000000000000000-mapping.dmp

Download
memory/1952-85-0x0000000074A71000-0x0000000074A73000-memory.dmp

Filesize
8KB

Download
memory/1952-86-0x0000000000EE0000-0x0000000001161000-memory.dmp

Filesize
2.5MB

Download
memory/1952-87-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1952-89-0x0000000002570000-0x0000000002873000-memory.dmp

Filesize
3.0MB

Download
memory/1952-84-0x0000000074E51000-0x0000000074E53000-memory.dmp

Filesize
8KB

Download
memory/1952-90-0x0000000000870000-0x0000000000900000-memory.dmp

Filesize
576KB

Download
memory/1952-83-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads