xloader | 56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db

General

Target

DEC SOA_09012022.exe
Size

373KB
MD5

6046b2f34b67e06c817f4375c6d26a54
SHA1

2230944a4216a07fde067866af7e81e1a52e8535
SHA256

56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db
SHA512

542a355b0b51c43d7462f255822401fcce56ba8a3c1f117a578f68c762cd329bf533667e8f6c1f56bad8ff71678954b59edec1da725b2a837bb401edcf94b2ac

Score

10^/10

xloader igwa loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

igwa

Decoy

listingswithalex.com

funtabse.com

aydenwalling.com

prochal.net

superfoodsnederland.com

moldluck.com

dianekgordon.store

regionalhomescommercial.com

mysecuritymadesimple.com

malwaremastery.com

kodaikeiko.com

jrzg996.com

agricurve.net

songlingjiu.com

virginianundahfishingclub.com

friendschance.com

pastelpresents.com

answertitles.com

survival-hunter.com

nxfddl.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/592-56-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/592-57-0x000000000041D440-mapping.dmp	xloader
behavioral1/memory/744-64-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

924 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

DEC SOA_09012022.exe

pid process

1520 DEC SOA_09012022.exe

pid	process
924	cmd.exe

pid	process
1520	DEC SOA_09012022.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

DEC SOA_09012022.exeDEC SOA_09012022.exesystray.exe

description	pid	process	target process
PID 1520 set thread context of 592	1520	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 592 set thread context of 1276	592	DEC SOA_09012022.exe	Explorer.EXE
PID 744 set thread context of 1276	744	systray.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

DEC SOA_09012022.exesystray.exe

pid	process
592	DEC SOA_09012022.exe
592	DEC SOA_09012022.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe
744	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

DEC SOA_09012022.exesystray.exe

pid process

592 DEC SOA_09012022.exe
592 DEC SOA_09012022.exe
592 DEC SOA_09012022.exe
744 systray.exe
744 systray.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DEC SOA_09012022.exesystray.exe

description pid process

Token: SeDebugPrivilege 592 DEC SOA_09012022.exe
Token: SeDebugPrivilege 744 systray.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE

pid	process
1276	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	592	DEC SOA_09012022.exe
Token: SeDebugPrivilege	744	systray.exe

pid	process
1276	Explorer.EXE
1276	Explorer.EXE

pid	process
1276	Explorer.EXE
1276	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

DEC SOA_09012022.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 1520 wrote to memory of 592	1520	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 1520 wrote to memory of 592	1520	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 1520 wrote to memory of 592	1520	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 1520 wrote to memory of 592	1520	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 1520 wrote to memory of 592	1520	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 1520 wrote to memory of 592	1520	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 1520 wrote to memory of 592	1520	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 1276 wrote to memory of 744	1276	Explorer.EXE	systray.exe
PID 1276 wrote to memory of 744	1276	Explorer.EXE	systray.exe
PID 1276 wrote to memory of 744	1276	Explorer.EXE	systray.exe
PID 1276 wrote to memory of 744	1276	Explorer.EXE	systray.exe
PID 744 wrote to memory of 924	744	systray.exe	cmd.exe
PID 744 wrote to memory of 924	744	systray.exe	cmd.exe
PID 744 wrote to memory of 924	744	systray.exe	cmd.exe
PID 744 wrote to memory of 924	744	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe
"C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe
"C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"
3⤵
- Deletes itself
PID:924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsiD2F9.tmp\rwxef.dll
MD5
52944a6532acdb2543a8f6076c5b1eeb

SHA1
f01e61cd9d9b724e1d77851440493858c008100b

SHA256
5432fa320cbf8e925f37aae93da2602d41e912dd8141332e38fb49b5c955290e

SHA512
b5510b843f40ef0e4d30ecac150409634cad612701575ca4f022bee266dba9b703cfdbd60c11018001d030ed45f9496815773d9dda3953bfe85af4d99260e22a

Download Submit
memory/592-60-0x0000000000350000-0x0000000000361000-memory.dmp

Filesize
68KB

Download
memory/592-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/592-57-0x000000000041D440-mapping.dmp

Download
memory/592-59-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/744-64-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/744-62-0x0000000000000000-mapping.dmp

Download
memory/744-63-0x00000000006D0000-0x00000000006D5000-memory.dmp

Filesize
20KB

Download
memory/744-66-0x0000000001F60000-0x0000000002263000-memory.dmp

Filesize
3.0MB

Download
memory/744-67-0x0000000000310000-0x00000000003A0000-memory.dmp

Filesize
576KB

Download
memory/924-65-0x0000000000000000-mapping.dmp

Download
memory/1276-61-0x0000000006AF0000-0x0000000006C98000-memory.dmp

Filesize
1.7MB

Download
memory/1276-68-0x0000000006510000-0x00000000065D1000-memory.dmp

Filesize
772KB

Download
memory/1520-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads