xloader | bf2effec642ef493f04dfa747ab6933f48f0426cbba354ab3aae44815fa070f9

General

Target

U prilogu je izvod racuna.exe
Size

897KB
MD5

bf7656bd12573a9614800c04bc060b64
SHA1

cc38679d954c885e0e5417b8945ee3eceb05746c
SHA256

615e6f18d8843af256c4acca22d337f41c24795147dc7329968884a5e42caa10
SHA512

bf7e3a3e1f142a4371172c0e2c2671439bf4773b824247d70ddca05364f54b86b43faac2c78e356b53e3b4ce50b13c52d253833ea518519eb68a055416666fe0

Score

10^/10

xloader pvxz loader persistence rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pvxz

C2

http://www.finetipster.com/pvxz/

Decoy

imt-token.club

abravewayocen.online

shcloudcar.com

mshoppingworld.online

ncgf08.xyz

stuinfo.xyz

wesavetheplanetofficial.com

tourbox.xyz

believeinyourselftraining.com

jsboyat.com

aaeconomy.info

9etmorea.info

purosepeti7.com

goticketly.com

pinkmemorypt.com

mylifewellnesscentre.com

iridina.online

petrestore.online

neema.xyz

novelfooditalia.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3976-120-0x0000000000000000-mapping.dmp	xloader
behavioral2/memory/3976-122-0x0000000072480000-0x00000000724A9000-memory.dmp	xloader
behavioral2/memory/2096-130-0x0000000002480000-0x00000000024A9000-memory.dmp	xloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

U prilogu je izvod racuna.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qbuxleuj = "C:\\Users\\Public\\Libraries\\Qbuxleuj\\juelxubQ.url"	U prilogu je izvod racuna.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

U prilogu je izvod racuna.exe

description	ioc	process
File opened (read-only)	\??\A:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\P:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\X:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\Y:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\R:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\B:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\F:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\I:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\K:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\M:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\O:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\Q:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\T:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\U:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\G:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\H:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\V:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\E:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\J:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\L:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\N:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\S:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\W:	U prilogu je izvod racuna.exe
File opened (read-only)	\??\Z:	U prilogu je izvod racuna.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

mobsync.exeraserver.exe

description	pid	process	target process
PID 3976 set thread context of 3056	3976	mobsync.exe	Explorer.EXE
PID 2096 set thread context of 3056	2096	raserver.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

mobsync.exeraserver.exe

pid	process
3976	mobsync.exe
3976	mobsync.exe
3976	mobsync.exe
3976	mobsync.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3056 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

mobsync.exeraserver.exe

pid process

3976 mobsync.exe
3976 mobsync.exe
3976 mobsync.exe
2096 raserver.exe
2096 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mobsync.exeraserver.exe

description pid process

Token: SeDebugPrivilege 3976 mobsync.exe
Token: SeDebugPrivilege 2096 raserver.exe

pid	process
3056	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3976	mobsync.exe
Token: SeDebugPrivilege	2096	raserver.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

U prilogu je izvod racuna.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 3068 wrote to memory of 3976	3068	U prilogu je izvod racuna.exe	mobsync.exe
PID 3068 wrote to memory of 3976	3068	U prilogu je izvod racuna.exe	mobsync.exe
PID 3068 wrote to memory of 3976	3068	U prilogu je izvod racuna.exe	mobsync.exe
PID 3068 wrote to memory of 3976	3068	U prilogu je izvod racuna.exe	mobsync.exe
PID 3068 wrote to memory of 3976	3068	U prilogu je izvod racuna.exe	mobsync.exe
PID 3068 wrote to memory of 3976	3068	U prilogu je izvod racuna.exe	mobsync.exe
PID 3056 wrote to memory of 2096	3056	Explorer.EXE	raserver.exe
PID 3056 wrote to memory of 2096	3056	Explorer.EXE	raserver.exe
PID 3056 wrote to memory of 2096	3056	Explorer.EXE	raserver.exe
PID 2096 wrote to memory of 3588	2096	raserver.exe	cmd.exe
PID 2096 wrote to memory of 3588	2096	raserver.exe	cmd.exe
PID 2096 wrote to memory of 3588	2096	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Local\Temp\U prilogu je izvod racuna.exe
"C:\Users\Admin\AppData\Local\Temp\U prilogu je izvod racuna.exe"
2⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\mobsync.exe
C:\Windows\System32\mobsync.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\mobsync.exe"
3⤵
PID:3588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2096-129-0x0000000000170000-0x000000000018F000-memory.dmp

Filesize
124KB

Download
memory/2096-132-0x00000000041F0000-0x0000000004280000-memory.dmp

Filesize
576KB

Download
memory/2096-131-0x0000000004340000-0x0000000004660000-memory.dmp

Filesize
3.1MB

Download
memory/2096-130-0x0000000002480000-0x00000000024A9000-memory.dmp

Filesize
164KB

Download
memory/2096-127-0x0000000000000000-mapping.dmp

Download
memory/3056-133-0x0000000005D40000-0x0000000005EAB000-memory.dmp

Filesize
1.4MB

Download
memory/3056-126-0x00000000025B0000-0x0000000002681000-memory.dmp

Filesize
836KB

Download
memory/3068-119-0x00000000022F1000-0x0000000002305000-memory.dmp

Filesize
80KB

Download
memory/3068-118-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download
memory/3588-128-0x0000000000000000-mapping.dmp

Download
memory/3976-122-0x0000000072480000-0x00000000724A9000-memory.dmp

Filesize
164KB

Download
memory/3976-125-0x0000000001140000-0x0000000001151000-memory.dmp

Filesize
68KB

Download
memory/3976-124-0x0000000004650000-0x0000000004970000-memory.dmp

Filesize
3.1MB

Download
memory/3976-121-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/3976-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads