xloader | 56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db

General

Target

DEC SOA_09012022.exe
Size

373KB
MD5

6046b2f34b67e06c817f4375c6d26a54
SHA1

2230944a4216a07fde067866af7e81e1a52e8535
SHA256

56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db
SHA512

542a355b0b51c43d7462f255822401fcce56ba8a3c1f117a578f68c762cd329bf533667e8f6c1f56bad8ff71678954b59edec1da725b2a837bb401edcf94b2ac

Score

10^/10

xloader igwa loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

igwa

Decoy

listingswithalex.com

funtabse.com

aydenwalling.com

prochal.net

superfoodsnederland.com

moldluck.com

dianekgordon.store

regionalhomescommercial.com

mysecuritymadesimple.com

malwaremastery.com

kodaikeiko.com

jrzg996.com

agricurve.net

songlingjiu.com

virginianundahfishingclub.com

friendschance.com

pastelpresents.com

answertitles.com

survival-hunter.com

nxfddl.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1096-55-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1096-56-0x000000000041D440-mapping.dmp	xloader
behavioral1/memory/472-65-0x00000000000C0000-0x00000000000E9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1000 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

DEC SOA_09012022.exe

pid process

956 DEC SOA_09012022.exe

pid	process
1000	cmd.exe

pid	process
956	DEC SOA_09012022.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

DEC SOA_09012022.exeDEC SOA_09012022.exeraserver.exe

description	pid	process	target process
PID 956 set thread context of 1096	956	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 1096 set thread context of 1300	1096	DEC SOA_09012022.exe	Explorer.EXE
PID 472 set thread context of 1300	472	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

DEC SOA_09012022.exeraserver.exe

pid	process
1096	DEC SOA_09012022.exe
1096	DEC SOA_09012022.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe
472	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1300 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

DEC SOA_09012022.exeraserver.exe

pid process

1096 DEC SOA_09012022.exe
1096 DEC SOA_09012022.exe
1096 DEC SOA_09012022.exe
472 raserver.exe
472 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DEC SOA_09012022.exeraserver.exe

description pid process

Token: SeDebugPrivilege 1096 DEC SOA_09012022.exe
Token: SeDebugPrivilege 472 raserver.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1300 Explorer.EXE
1300 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1300 Explorer.EXE
1300 Explorer.EXE

pid	process
1300	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1096	DEC SOA_09012022.exe
Token: SeDebugPrivilege	472	raserver.exe

pid	process
1300	Explorer.EXE
1300	Explorer.EXE

pid	process
1300	Explorer.EXE
1300	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

DEC SOA_09012022.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 956 wrote to memory of 1096	956	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 956 wrote to memory of 1096	956	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 956 wrote to memory of 1096	956	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 956 wrote to memory of 1096	956	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 956 wrote to memory of 1096	956	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 956 wrote to memory of 1096	956	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 956 wrote to memory of 1096	956	DEC SOA_09012022.exe	DEC SOA_09012022.exe
PID 1300 wrote to memory of 472	1300	Explorer.EXE	raserver.exe
PID 1300 wrote to memory of 472	1300	Explorer.EXE	raserver.exe
PID 1300 wrote to memory of 472	1300	Explorer.EXE	raserver.exe
PID 1300 wrote to memory of 472	1300	Explorer.EXE	raserver.exe
PID 472 wrote to memory of 1000	472	raserver.exe	cmd.exe
PID 472 wrote to memory of 1000	472	raserver.exe	cmd.exe
PID 472 wrote to memory of 1000	472	raserver.exe	cmd.exe
PID 472 wrote to memory of 1000	472	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe
"C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe
"C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:268

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"
3⤵
- Deletes itself
PID:1000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nstA7A6.tmp\rwxef.dll
MD5
52944a6532acdb2543a8f6076c5b1eeb

SHA1
f01e61cd9d9b724e1d77851440493858c008100b

SHA256
5432fa320cbf8e925f37aae93da2602d41e912dd8141332e38fb49b5c955290e

SHA512
b5510b843f40ef0e4d30ecac150409634cad612701575ca4f022bee266dba9b703cfdbd60c11018001d030ed45f9496815773d9dda3953bfe85af4d99260e22a

Download Submit
memory/472-67-0x0000000001C90000-0x0000000001D20000-memory.dmp

Filesize
576KB

Download
memory/472-65-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/472-66-0x0000000001E20000-0x0000000002123000-memory.dmp

Filesize
3.0MB

Download
memory/472-64-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/472-61-0x0000000000000000-mapping.dmp

Download
memory/956-53-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/1000-63-0x0000000000000000-mapping.dmp

Download
memory/1096-56-0x000000000041D440-mapping.dmp

Download
memory/1096-59-0x0000000000490000-0x00000000004A1000-memory.dmp

Filesize
68KB

Download
memory/1096-57-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/1096-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1300-60-0x0000000006970000-0x0000000006B02000-memory.dmp

Filesize
1.6MB

Download
memory/1300-68-0x00000000073B0000-0x0000000007508000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads