xloader | 11128ecb20c21ca6dd1bc29409c2a33de2aa5f6db4483bd1062085821d3b4186

General

Target

TT_SWIFT_Export Order_noref S10SMG00318021.exe
Size

653KB
MD5

fff91c58119d3cd7f68457e8565f7116
SHA1

4201eb7214bd3658889739e4856412b8063e0405
SHA256

f8c0d385ece89cd926b2c74680c036f9927414955e7ff4ed12b576470b8c1745
SHA512

c05cf9e0ed2aad4c08b394d97fc1257d273aa8dd51a45487ba51ff5973ab7b2227aba7ea1e1e8e9daf7416aaea418b06edfa29ff93665f6d3cc5b1a392dbed92

Score

10^/10

xloader 46uq loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

46uq

Decoy

beardeddentguy.com

envirobombs.com

mintbox.pro

xiangpusun.com

pyjama-france.com

mendocinocountylive.com

innovativepropsolutions.com

hpsaddlerock.com

qrmaindonesia.com

liphelp.com

archaeaenergy.info

18446744073709551615.com

littlecreekacresri.com

elderlycareacademy.com

drshivanieyecare.com

ashibumi.com

stevenalexandergolf.com

adoratv.net

visitnewrichmond.com

fxbvanpool.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2352-137-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2352-143-0x00000000011F0000-0x000000000138C000-memory.dmp	xloader
behavioral2/memory/2132-149-0x00000000008C0000-0x00000000008E9000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

TT_SWIFT_Export Order_noref S10SMG00318021.exeTT_SWIFT_Export Order_noref S10SMG00318021.exesvchost.exe

description	pid	process	target process
PID 1552 set thread context of 2352	1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe	TT_SWIFT_Export Order_noref S10SMG00318021.exe
PID 2352 set thread context of 2968	2352	TT_SWIFT_Export Order_noref S10SMG00318021.exe	Explorer.EXE
PID 2132 set thread context of 2968	2132	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1840 schtasks.exe

pid	process
1840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

TT_SWIFT_Export Order_noref S10SMG00318021.exeTT_SWIFT_Export Order_noref S10SMG00318021.exepowershell.exepowershell.exesvchost.exe

pid	process
1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe
1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe
1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe
1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe
1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe
1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe
1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe
1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe
2352	TT_SWIFT_Export Order_noref S10SMG00318021.exe
2352	TT_SWIFT_Export Order_noref S10SMG00318021.exe
2352	TT_SWIFT_Export Order_noref S10SMG00318021.exe
2352	TT_SWIFT_Export Order_noref S10SMG00318021.exe
2688	powershell.exe
2696	powershell.exe
2696	powershell.exe
2688	powershell.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe
2696	powershell.exe
2688	powershell.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe
2132	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2968 Explorer.EXE

pid	process
2968	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

TT_SWIFT_Export Order_noref S10SMG00318021.exesvchost.exe

pid	process
2352	TT_SWIFT_Export Order_noref S10SMG00318021.exe
2352	TT_SWIFT_Export Order_noref S10SMG00318021.exe
2352	TT_SWIFT_Export Order_noref S10SMG00318021.exe
2132	svchost.exe
2132	svchost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

TT_SWIFT_Export Order_noref S10SMG00318021.exepowershell.exepowershell.exeTT_SWIFT_Export Order_noref S10SMG00318021.exesvchost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2352	TT_SWIFT_Export Order_noref S10SMG00318021.exe
Token: SeDebugPrivilege	2132	svchost.exe
Token: SeShutdownPrivilege	2968	Explorer.EXE
Token: SeCreatePagefilePrivilege	2968	Explorer.EXE
Token: SeShutdownPrivilege	2968	Explorer.EXE
Token: SeCreatePagefilePrivilege	2968	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

TT_SWIFT_Export Order_noref S10SMG00318021.exeExplorer.EXE

description	pid	process	target process
PID 1552 wrote to memory of 2696	1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe	powershell.exe
PID 1552 wrote to memory of 2696	1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe	powershell.exe
PID 1552 wrote to memory of 2696	1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe	powershell.exe
PID 1552 wrote to memory of 2688	1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe	powershell.exe
PID 1552 wrote to memory of 2688	1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe	powershell.exe
PID 1552 wrote to memory of 2688	1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe	powershell.exe
PID 1552 wrote to memory of 1840	1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe	schtasks.exe
PID 1552 wrote to memory of 1840	1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe	schtasks.exe
PID 1552 wrote to memory of 1840	1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe	schtasks.exe
PID 1552 wrote to memory of 2352	1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe	TT_SWIFT_Export Order_noref S10SMG00318021.exe
PID 1552 wrote to memory of 2352	1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe	TT_SWIFT_Export Order_noref S10SMG00318021.exe
PID 1552 wrote to memory of 2352	1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe	TT_SWIFT_Export Order_noref S10SMG00318021.exe
PID 1552 wrote to memory of 2352	1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe	TT_SWIFT_Export Order_noref S10SMG00318021.exe
PID 1552 wrote to memory of 2352	1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe	TT_SWIFT_Export Order_noref S10SMG00318021.exe
PID 1552 wrote to memory of 2352	1552	TT_SWIFT_Export Order_noref S10SMG00318021.exe	TT_SWIFT_Export Order_noref S10SMG00318021.exe
PID 2968 wrote to memory of 2132	2968	Explorer.EXE	svchost.exe
PID 2968 wrote to memory of 2132	2968	Explorer.EXE	svchost.exe
PID 2968 wrote to memory of 2132	2968	Explorer.EXE	svchost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\Temp\TT_SWIFT_Export Order_noref S10SMG00318021.exe
"C:\Users\Admin\AppData\Local\Temp\TT_SWIFT_Export Order_noref S10SMG00318021.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TT_SWIFT_Export Order_noref S10SMG00318021.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AnsPejV.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnsPejV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9244.tmp"
3⤵
- Creates scheduled task(s)
PID:1840

C:\Users\Admin\AppData\Local\Temp\TT_SWIFT_Export Order_noref S10SMG00318021.exe
"C:\Users\Admin\AppData\Local\Temp\TT_SWIFT_Export Order_noref S10SMG00318021.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e4d6f3b6a6cbfce4b882fd7539ab0611

SHA1
dd95a84c520f229b2b5810bed0406026c596bd82

SHA256
c31ae635233f8a554f49c89671c7bcdb5edbaba319011d6e54ddcc7672097000

SHA512
c818966b8183b0c6862af040b6e4cea1108cdb82cca941ff4b5f56b2d9b8c8b586498aa5626dfc58bc77c6c92d3ea80c55d0fe8250467b20f218a1a5590fab01

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9244.tmp
MD5
291b8ef34d3dae7ae42604ffe9a580d9

SHA1
04f4c7f8fa83aafddfc4d8b52096c2adff1f96d6

SHA256
32ea6893bcabc635ab3ac4384fb8d1970e03af31a8602aec02ab8da8e2b2785d

SHA512
16a91b34b205ce52db128fd76b9c92b6f653e9ff46108a8c2a8eeb59c3adaea9792d07211c7387f663cc1eef2763e94e563687cab188b4a2dd3cef3f9e9b52b9

Download Submit
memory/1552-125-0x0000000006CB0000-0x00000000071AE000-memory.dmp

Filesize
5.0MB

Download
memory/1552-117-0x0000000005B20000-0x0000000005BB2000-memory.dmp

Filesize
584KB

Download
memory/1552-120-0x0000000006170000-0x000000000617E000-memory.dmp

Filesize
56KB

Download
memory/1552-121-0x00000000064C0000-0x000000000650B000-memory.dmp

Filesize
300KB

Download
memory/1552-122-0x0000000005A63000-0x0000000005A65000-memory.dmp

Filesize
8KB

Download
memory/1552-123-0x0000000001700000-0x000000000179C000-memory.dmp

Filesize
624KB

Download
memory/1552-124-0x00000000031D0000-0x0000000003232000-memory.dmp

Filesize
392KB

Download
memory/1552-116-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/1552-118-0x0000000005C70000-0x0000000005D1A000-memory.dmp

Filesize
680KB

Download
memory/1552-119-0x0000000005E10000-0x0000000006160000-memory.dmp

Filesize
3.3MB

Download
memory/1552-115-0x0000000000FE0000-0x0000000001088000-memory.dmp

Filesize
672KB

Download
memory/2132-184-0x0000000003190000-0x0000000003320000-memory.dmp

Filesize
1.6MB

Download
memory/2132-148-0x0000000000950000-0x000000000095C000-memory.dmp

Filesize
48KB

Download
memory/2132-150-0x0000000003320000-0x0000000003640000-memory.dmp

Filesize
3.1MB

Download
memory/2132-149-0x00000000008C0000-0x00000000008E9000-memory.dmp

Filesize
164KB

Download
memory/2352-142-0x0000000001390000-0x00000000016B0000-memory.dmp

Filesize
3.1MB

Download
memory/2352-137-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2352-143-0x00000000011F0000-0x000000000138C000-memory.dmp

Filesize
1.6MB

Download
memory/2688-169-0x0000000008A40000-0x0000000008A5E000-memory.dmp

Filesize
120KB

Download
memory/2688-133-0x00000000010D2000-0x00000000010D3000-memory.dmp

Filesize
4KB

Download
memory/2688-132-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/2688-579-0x0000000008E70000-0x0000000008E78000-memory.dmp

Filesize
32KB

Download
memory/2688-145-0x00000000074E0000-0x0000000007830000-memory.dmp

Filesize
3.3MB

Download
memory/2688-147-0x0000000006D40000-0x0000000006D8B000-memory.dmp

Filesize
300KB

Download
memory/2688-183-0x00000000010D3000-0x00000000010D4000-memory.dmp

Filesize
4KB

Download
memory/2688-180-0x0000000008BB0000-0x0000000008C55000-memory.dmp

Filesize
660KB

Download
memory/2688-136-0x0000000006DB0000-0x00000000073D8000-memory.dmp

Filesize
6.2MB

Download
memory/2688-178-0x000000007E960000-0x000000007E961000-memory.dmp

Filesize
4KB

Download
memory/2688-151-0x0000000007BC0000-0x0000000007C36000-memory.dmp

Filesize
472KB

Download
memory/2696-139-0x0000000007470000-0x0000000007492000-memory.dmp

Filesize
136KB

Download
memory/2696-146-0x0000000007CE0000-0x0000000007CFC000-memory.dmp

Filesize
112KB

Download
memory/2696-134-0x0000000006E92000-0x0000000006E93000-memory.dmp

Filesize
4KB

Download
memory/2696-179-0x000000007FA50000-0x000000007FA51000-memory.dmp

Filesize
4KB

Download
memory/2696-141-0x0000000007B70000-0x0000000007BD6000-memory.dmp

Filesize
408KB

Download
memory/2696-181-0x0000000009890000-0x0000000009924000-memory.dmp

Filesize
592KB

Download
memory/2696-182-0x0000000006E93000-0x0000000006E94000-memory.dmp

Filesize
4KB

Download
memory/2696-168-0x0000000009390000-0x00000000093C3000-memory.dmp

Filesize
204KB

Download
memory/2696-131-0x0000000006E90000-0x0000000006E91000-memory.dmp

Filesize
4KB

Download
memory/2696-130-0x00000000049D0000-0x0000000004A06000-memory.dmp

Filesize
216KB

Download
memory/2696-570-0x0000000009790000-0x00000000097AA000-memory.dmp

Filesize
104KB

Download
memory/2696-140-0x0000000007D50000-0x0000000007DB6000-memory.dmp

Filesize
408KB

Download
memory/2968-144-0x0000000007140000-0x00000000072AF000-memory.dmp

Filesize
1.4MB

Download
memory/2968-185-0x0000000001450000-0x00000000014ED000-memory.dmp

Filesize
628KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads