xloader | 81fc763d0863d2011499222a0683aed63c881b20ccf70d5775125451bf36b76a

General

Target

payment advice.ro9,pdf.exe
Size

607KB
MD5

5a3452246e02aa71c5d55a89e46cd310
SHA1

07cc96501710f0d80455fe9b5e34d4b9c1a3d05a
SHA256

81fc763d0863d2011499222a0683aed63c881b20ccf70d5775125451bf36b76a
SHA512

7b611c4385dae6bbc09bf9c866d0011e50bbda253917861ae33862f065017424ea97867eae8a02fc69ce24d6d344a8f4af1b38dd2ae6a0681403929fdcfbe4c0

Score

10^/10

xloader tod8 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

tod8

Decoy

shabizy5.com

sattaking-delhiborder01.xyz

venetianmountains.com

vertogaastad.quest

zimalek.com

olympiacrownhotel.com

dubbostorage.online

mosescorrea.com

japanroofing.com

mashareq.store

gdetcz.com

slimmersite.com

aplintec.com

878971.com

charlottesbestroofcompany.com

into-mena.com

newlysupply.com

bianncapace.com

netrew.com

anhecapital.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3804-120-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3804-123-0x0000000000910000-0x0000000000AAA000-memory.dmp	xloader
behavioral2/memory/3672-126-0x0000000000600000-0x0000000000629000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

payment advice.ro9,pdf.exe

pid process

2552 payment advice.ro9,pdf.exe

pid	process
2552	payment advice.ro9,pdf.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

payment advice.ro9,pdf.exepayment advice.ro9,pdf.exehelp.exe

description	pid	process	target process
PID 2552 set thread context of 3804	2552	payment advice.ro9,pdf.exe	payment advice.ro9,pdf.exe
PID 3804 set thread context of 3012	3804	payment advice.ro9,pdf.exe	Explorer.EXE
PID 3672 set thread context of 3012	3672	help.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

payment advice.ro9,pdf.exehelp.exe

pid	process
3804	payment advice.ro9,pdf.exe
3804	payment advice.ro9,pdf.exe
3804	payment advice.ro9,pdf.exe
3804	payment advice.ro9,pdf.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe
3672	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3012 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

payment advice.ro9,pdf.exehelp.exe

pid process

3804 payment advice.ro9,pdf.exe
3804 payment advice.ro9,pdf.exe
3804 payment advice.ro9,pdf.exe
3672 help.exe
3672 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

payment advice.ro9,pdf.exehelp.exe

description pid process

Token: SeDebugPrivilege 3804 payment advice.ro9,pdf.exe
Token: SeDebugPrivilege 3672 help.exe

pid	process
3012	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3804	payment advice.ro9,pdf.exe
Token: SeDebugPrivilege	3672	help.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

payment advice.ro9,pdf.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 2552 wrote to memory of 3804	2552	payment advice.ro9,pdf.exe	payment advice.ro9,pdf.exe
PID 2552 wrote to memory of 3804	2552	payment advice.ro9,pdf.exe	payment advice.ro9,pdf.exe
PID 2552 wrote to memory of 3804	2552	payment advice.ro9,pdf.exe	payment advice.ro9,pdf.exe
PID 2552 wrote to memory of 3804	2552	payment advice.ro9,pdf.exe	payment advice.ro9,pdf.exe
PID 2552 wrote to memory of 3804	2552	payment advice.ro9,pdf.exe	payment advice.ro9,pdf.exe
PID 2552 wrote to memory of 3804	2552	payment advice.ro9,pdf.exe	payment advice.ro9,pdf.exe
PID 3012 wrote to memory of 3672	3012	Explorer.EXE	help.exe
PID 3012 wrote to memory of 3672	3012	Explorer.EXE	help.exe
PID 3012 wrote to memory of 3672	3012	Explorer.EXE	help.exe
PID 3672 wrote to memory of 592	3672	help.exe	cmd.exe
PID 3672 wrote to memory of 592	3672	help.exe	cmd.exe
PID 3672 wrote to memory of 592	3672	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\payment advice.ro9,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\payment advice.ro9,pdf.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\AppData\Local\Temp\payment advice.ro9,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\payment advice.ro9,pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\payment advice.ro9,pdf.exe"
3⤵
PID:592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nszE949.tmp\jfay.dll
MD5
f6303ff47a3f9ae77f90a43ce73ed4c4

SHA1
b8761d249917348eb9b4bbc41cac93c61cbf7dfa

SHA256
b133ef10c41b4dd470ba411a84c327394cdf7bc4f1277d3e7117aa13da5c05bc

SHA512
12b1f9fcd28e6debdaec038e679508ce4445a2f208ee5b5f0b399ead579796c51bd0c876c422536ad94d9294c58818d704d1cd531ab517f5fecfce5bb544f8df

Download Submit
memory/2552-119-0x00000000022C0000-0x00000000022C2000-memory.dmp

Filesize
8KB

Download
memory/3012-124-0x0000000004B40000-0x0000000004C72000-memory.dmp

Filesize
1.2MB

Download
memory/3012-129-0x00000000005C0000-0x0000000000656000-memory.dmp

Filesize
600KB

Download
memory/3672-125-0x0000000000BA0000-0x0000000000BA7000-memory.dmp

Filesize
28KB

Download
memory/3672-126-0x0000000000600000-0x0000000000629000-memory.dmp

Filesize
164KB

Download
memory/3672-127-0x0000000003090000-0x00000000033B0000-memory.dmp

Filesize
3.1MB

Download
memory/3672-128-0x0000000000930000-0x0000000002D43000-memory.dmp

Filesize
36.1MB

Download
memory/3804-120-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3804-122-0x0000000000AB0000-0x0000000000DD0000-memory.dmp

Filesize
3.1MB

Download
memory/3804-123-0x0000000000910000-0x0000000000AAA000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads