xloader | 2c9c53afeadf78570137cbee063eb4446a2f2086d516b348199ed4500434c126

General

Target

Order-8011964-pdf.exe
Size

246KB
MD5

e15ae6b598e9b227a07a09056570afd6
SHA1

46b5a6c316570f75be5f9732ece769547d431e39
SHA256

2c9c53afeadf78570137cbee063eb4446a2f2086d516b348199ed4500434c126
SHA512

9648aaae24b7384a12b3c165591c781c375cec2af31afa60002060d9ba81e0f4d616d50ac1e10dedd6d7c363a56ccdceb29598aac517d7dd4341b24256b93ad1

Score

10^/10

xloader uar3 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uar3

Decoy

sgadvocats.com

mjscannabus.com

hilldaley.com

ksdollhouse.com

hotgiftboutique.com

purebloodsmeet.com

relaunched.info

cap-glove.com

productcollection.store

fulikyy.xyz

remoteaviationjobs.com

bestcleancrystal.com

virtualorganizationpartner.com

bookgocar.com

hattuafhv.quest

makonigroup.com

officecom-myaccount.com

malgorzata-lac.com

e-learningeducators.com

hygilaur.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3520-118-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3584-124-0x0000000000B10000-0x0000000000B39000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

Order-8011964-pdf.exe

pid process

2664 Order-8011964-pdf.exe

pid	process
2664	Order-8011964-pdf.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Order-8011964-pdf.exeOrder-8011964-pdf.exeexplorer.exe

description	pid	process	target process
PID 2664 set thread context of 3520	2664	Order-8011964-pdf.exe	Order-8011964-pdf.exe
PID 3520 set thread context of 3064	3520	Order-8011964-pdf.exe	Explorer.EXE
PID 3584 set thread context of 3064	3584	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

Order-8011964-pdf.exeexplorer.exe

pid	process
3520	Order-8011964-pdf.exe
3520	Order-8011964-pdf.exe
3520	Order-8011964-pdf.exe
3520	Order-8011964-pdf.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe
3584	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3064 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Order-8011964-pdf.exeexplorer.exe

pid process

3520 Order-8011964-pdf.exe
3520 Order-8011964-pdf.exe
3520 Order-8011964-pdf.exe
3584 explorer.exe
3584 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Order-8011964-pdf.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 3520 Order-8011964-pdf.exe
Token: SeDebugPrivilege 3584 explorer.exe

pid	process
3064	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3520	Order-8011964-pdf.exe
Token: SeDebugPrivilege	3584	explorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Order-8011964-pdf.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 2664 wrote to memory of 3520	2664	Order-8011964-pdf.exe	Order-8011964-pdf.exe
PID 2664 wrote to memory of 3520	2664	Order-8011964-pdf.exe	Order-8011964-pdf.exe
PID 2664 wrote to memory of 3520	2664	Order-8011964-pdf.exe	Order-8011964-pdf.exe
PID 2664 wrote to memory of 3520	2664	Order-8011964-pdf.exe	Order-8011964-pdf.exe
PID 2664 wrote to memory of 3520	2664	Order-8011964-pdf.exe	Order-8011964-pdf.exe
PID 2664 wrote to memory of 3520	2664	Order-8011964-pdf.exe	Order-8011964-pdf.exe
PID 3064 wrote to memory of 3584	3064	Explorer.EXE	explorer.exe
PID 3064 wrote to memory of 3584	3064	Explorer.EXE	explorer.exe
PID 3064 wrote to memory of 3584	3064	Explorer.EXE	explorer.exe
PID 3584 wrote to memory of 1352	3584	explorer.exe	cmd.exe
PID 3584 wrote to memory of 1352	3584	explorer.exe	cmd.exe
PID 3584 wrote to memory of 1352	3584	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\Order-8011964-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Order-8011964-pdf.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\Order-8011964-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Order-8011964-pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Order-8011964-pdf.exe"
3⤵
PID:1352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nspD091.tmp\kkixhqk.dll
MD5
3c5d78d7038df7b38383c988ceebe3aa

SHA1
20a6f418fb9650f54eaf3d1c6a63b7240684e4ed

SHA256
8bd3f637d66238b9fb72b7c78b38e8b72d81d85912ec9cf9d8166d5a42946317

SHA512
f819eaca443d595ff6ae171dfb17a7def3d16a7b8907d8636b0aa2dba7f0b044b6a67f01944a44f8df19d02cb07a6b931ebe1ce889de19ae0b3189826a6e0103

Download Submit
memory/3064-122-0x00000000067F0000-0x000000000694E000-memory.dmp

Filesize
1.4MB

Download
memory/3064-127-0x0000000002710000-0x00000000027B7000-memory.dmp

Filesize
668KB

Download
memory/3520-118-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3520-120-0x0000000000A50000-0x0000000000D70000-memory.dmp

Filesize
3.1MB

Download
memory/3520-121-0x00000000004B0000-0x000000000055E000-memory.dmp

Filesize
696KB

Download
memory/3584-123-0x0000000000CD0000-0x000000000110F000-memory.dmp

Filesize
4.2MB

Download
memory/3584-124-0x0000000000B10000-0x0000000000B39000-memory.dmp

Filesize
164KB

Download
memory/3584-125-0x00000000051B0000-0x00000000054D0000-memory.dmp

Filesize
3.1MB

Download
memory/3584-126-0x0000000004E80000-0x0000000005010000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads