xloader | 6bcdd75542af9c7a5f4e4c8bb2bccb04742fedbc0f2c189b4d6e10884f9244a8

General

Target

2021_036,pdf.exe
Size

220KB
MD5

251729c3c3a66cb76aab3fe702145906
SHA1

19ecdee079a7abb02a82781af0e14d5a7f54705f
SHA256

5f3be7bf52d0617f50d8dcf095edc606854a589a94f2ac8186d6b9406960aa86
SHA512

e2d7af9a4be4b86cd1fd08e40f297b8cf417f8977986ce7832bf73f797cca7a05da5ea5398df8ff155d3a8087ed5c8a00ce5b2676509a8c667c081b7db77b9a0

Score

10^/10

xloader gh6n loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

gh6n

Decoy

cpschoolsschoology.com

thestocksforum.com

pixiewish.com

sopressd.com

muktokontha.com

tiejiabang.net

fdo.technology

kuringnl.com

barbarapastor.com

21stcenturytrading.com

digiwarung.com

canvafynyc.com

forfaitinghouse.com

3704368.com

mymonwero.com

ponpow.com

fringe.golf

heartfeltindonesia.com

defensivedrivercpc.com

allaboutgt.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/460-59-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1412-65-0x0000000000090000-0x00000000000B8000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1392 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

2021_036,pdf.exe

pid process

1568 2021_036,pdf.exe
1568 2021_036,pdf.exe

pid	process
1392	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

2021_036,pdf.exe2021_036,pdf.exemsiexec.exe

description	pid	process	target process
PID 1568 set thread context of 460	1568	2021_036,pdf.exe	2021_036,pdf.exe
PID 460 set thread context of 1372	460	2021_036,pdf.exe	Explorer.EXE
PID 1412 set thread context of 1372	1412	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

2021_036,pdf.exe2021_036,pdf.exemsiexec.exe

pid	process
1568	2021_036,pdf.exe
1568	2021_036,pdf.exe
1568	2021_036,pdf.exe
1568	2021_036,pdf.exe
460	2021_036,pdf.exe
460	2021_036,pdf.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe
1412	msiexec.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

2021_036,pdf.exe2021_036,pdf.exemsiexec.exe

pid process

1568 2021_036,pdf.exe
460 2021_036,pdf.exe
460 2021_036,pdf.exe
460 2021_036,pdf.exe
1412 msiexec.exe
1412 msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2021_036,pdf.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 460 2021_036,pdf.exe
Token: SeDebugPrivilege 1412 msiexec.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
1372 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
1372 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	460	2021_036,pdf.exe
Token: SeDebugPrivilege	1412	msiexec.exe

pid	process
1372	Explorer.EXE
1372	Explorer.EXE

pid	process
1372	Explorer.EXE
1372	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

2021_036,pdf.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 1568 wrote to memory of 460	1568	2021_036,pdf.exe	2021_036,pdf.exe
PID 1568 wrote to memory of 460	1568	2021_036,pdf.exe	2021_036,pdf.exe
PID 1568 wrote to memory of 460	1568	2021_036,pdf.exe	2021_036,pdf.exe
PID 1568 wrote to memory of 460	1568	2021_036,pdf.exe	2021_036,pdf.exe
PID 1568 wrote to memory of 460	1568	2021_036,pdf.exe	2021_036,pdf.exe
PID 1372 wrote to memory of 1412	1372	Explorer.EXE	msiexec.exe
PID 1372 wrote to memory of 1412	1372	Explorer.EXE	msiexec.exe
PID 1372 wrote to memory of 1412	1372	Explorer.EXE	msiexec.exe
PID 1372 wrote to memory of 1412	1372	Explorer.EXE	msiexec.exe
PID 1372 wrote to memory of 1412	1372	Explorer.EXE	msiexec.exe
PID 1372 wrote to memory of 1412	1372	Explorer.EXE	msiexec.exe
PID 1372 wrote to memory of 1412	1372	Explorer.EXE	msiexec.exe
PID 1412 wrote to memory of 1392	1412	msiexec.exe	cmd.exe
PID 1412 wrote to memory of 1392	1412	msiexec.exe	cmd.exe
PID 1412 wrote to memory of 1392	1412	msiexec.exe	cmd.exe
PID 1412 wrote to memory of 1392	1412	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\2021_036,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\2021_036,pdf.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Local\Temp\2021_036,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\2021_036,pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\2021_036,pdf.exe"
3⤵
- Deletes itself
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Isdjek.dll
MD5
7183a8b8bb7e8b4712ffa8720476909c

SHA1
0819caf4c801c7877832442b47d6149143e1ebc4

SHA256
9d254261d58e3d155775c785039ecc7afa053c1e0b1d7eed2ff203101da48ddc

SHA512
21e7242f7f80d390a1f930594df78797340d8178a90da59ed9f0ee78f9b7b9cac0bc379637b25d5ca059fe0f2ff26b1e40926fb5597da4fe23dcbbb5b2ab254e

Download Submit
\Users\Admin\AppData\Local\Temp\nsy401D.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/460-59-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/460-60-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/460-61-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/1372-62-0x0000000003A00000-0x0000000003AEC000-memory.dmp

Filesize
944KB

Download
memory/1372-68-0x0000000008D00000-0x0000000008E43000-memory.dmp

Filesize
1.3MB

Download
memory/1412-64-0x0000000000200000-0x0000000000214000-memory.dmp

Filesize
80KB

Download
memory/1412-65-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/1412-66-0x0000000002270000-0x0000000002573000-memory.dmp

Filesize
3.0MB

Download
memory/1412-67-0x0000000001FA0000-0x000000000202F000-memory.dmp

Filesize
572KB

Download
memory/1568-55-0x0000000076371000-0x0000000076373000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads