xloader | 0056e3cbc8cb00f5048b48dc5bbba8a4571d9552cee39b1d53a87f364eac2bdb

General

Target

Purchase Order FEB22_76543.exe
Size

769KB
MD5

bcc32aa0cb21d67d81d9ddbd39c3e2d9
SHA1

2f0dfdf0a29ab5c1177c1245bebbdb2ee0513686
SHA256

ed99b5652455f1287171fd7d49a5ac69add7ed72a08712d4c66f6474fd094615
SHA512

571c706963b172d9bdd707c0f833fe9b09a41c52d6ac8e0b8d771ccbca88d4ff43cafcba30b2f9bc5f7afcb2d5908920e0553c740139b32a374b0cf07fbd6b82

Score

10^/10

xloader zqzw loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

zqzw

Decoy

laurentmathieu.com

nohohonndana.com

hhmc.info

shophallows.com

blazebunk.com

goodbridge.xyz

flakycloud.com

bakermckenziegroups.com

formation-adistance.com

lovingearthbotanicals.com

tbrservice.plus

heritagehousehotels.com

drwbuildersco.com

lacsghb.com

wain3x.com

dadreview.club

continiutycp.com

cockgirls.com

48mpt.xyz

033skz.xyz

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2220-140-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3112-147-0x00000000008F0000-0x0000000000919000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

Purchase Order FEB22_76543.exePurchase Order FEB22_76543.exeWWAHost.exe

description	pid	process	target process
PID 3808 set thread context of 2220	3808	Purchase Order FEB22_76543.exe	Purchase Order FEB22_76543.exe
PID 2220 set thread context of 2712	2220	Purchase Order FEB22_76543.exe	Explorer.EXE
PID 3112 set thread context of 2712	3112	WWAHost.exe	Explorer.EXE

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

Purchase Order FEB22_76543.exeWWAHost.exe

pid	process
2220	Purchase Order FEB22_76543.exe
2220	Purchase Order FEB22_76543.exe
2220	Purchase Order FEB22_76543.exe
2220	Purchase Order FEB22_76543.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe
3112	WWAHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2712 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Purchase Order FEB22_76543.exeWWAHost.exe

pid process

2220 Purchase Order FEB22_76543.exe
2220 Purchase Order FEB22_76543.exe
2220 Purchase Order FEB22_76543.exe
3112 WWAHost.exe
3112 WWAHost.exe

pid	process
2712	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	1548	svchost.exe
Token: SeCreatePagefilePrivilege	1548	svchost.exe
Token: SeShutdownPrivilege	1548	svchost.exe
Token: SeCreatePagefilePrivilege	1548	svchost.exe
Token: SeShutdownPrivilege	1548	svchost.exe
Token: SeCreatePagefilePrivilege	1548	svchost.exe
Token: SeSecurityPrivilege	2044	TiWorker.exe
Token: SeRestorePrivilege	2044	TiWorker.exe
Token: SeBackupPrivilege	2044	TiWorker.exe
Token: SeBackupPrivilege	2044	TiWorker.exe
Token: SeRestorePrivilege	2044	TiWorker.exe
Token: SeSecurityPrivilege	2044	TiWorker.exe
Token: SeBackupPrivilege	2044	TiWorker.exe
Token: SeRestorePrivilege	2044	TiWorker.exe
Token: SeSecurityPrivilege	2044	TiWorker.exe
Token: SeBackupPrivilege	2044	TiWorker.exe
Token: SeRestorePrivilege	2044	TiWorker.exe
Token: SeSecurityPrivilege	2044	TiWorker.exe
Token: SeBackupPrivilege	2044	TiWorker.exe
Token: SeRestorePrivilege	2044	TiWorker.exe
Token: SeSecurityPrivilege	2044	TiWorker.exe
Token: SeBackupPrivilege	2044	TiWorker.exe
Token: SeRestorePrivilege	2044	TiWorker.exe
Token: SeSecurityPrivilege	2044	TiWorker.exe
Token: SeBackupPrivilege	2044	TiWorker.exe
Token: SeRestorePrivilege	2044	TiWorker.exe
Token: SeSecurityPrivilege	2044	TiWorker.exe
Token: SeBackupPrivilege	2044	TiWorker.exe
Token: SeRestorePrivilege	2044	TiWorker.exe
Token: SeSecurityPrivilege	2044	TiWorker.exe
Token: SeBackupPrivilege	2044	TiWorker.exe
Token: SeRestorePrivilege	2044	TiWorker.exe
Token: SeSecurityPrivilege	2044	TiWorker.exe
Token: SeBackupPrivilege	2044	TiWorker.exe
Token: SeRestorePrivilege	2044	TiWorker.exe
Token: SeSecurityPrivilege	2044	TiWorker.exe
Token: SeBackupPrivilege	2044	TiWorker.exe
Token: SeRestorePrivilege	2044	TiWorker.exe
Token: SeSecurityPrivilege	2044	TiWorker.exe
Token: SeBackupPrivilege	2044	TiWorker.exe
Token: SeRestorePrivilege	2044	TiWorker.exe
Token: SeSecurityPrivilege	2044	TiWorker.exe
Token: SeBackupPrivilege	2044	TiWorker.exe
Token: SeRestorePrivilege	2044	TiWorker.exe
Token: SeSecurityPrivilege	2044	TiWorker.exe
Token: SeBackupPrivilege	2044	TiWorker.exe
Token: SeRestorePrivilege	2044	TiWorker.exe
Token: SeSecurityPrivilege	2044	TiWorker.exe
Token: SeBackupPrivilege	2044	TiWorker.exe
Token: SeRestorePrivilege	2044	TiWorker.exe
Token: SeSecurityPrivilege	2044	TiWorker.exe
Token: SeBackupPrivilege	2044	TiWorker.exe
Token: SeRestorePrivilege	2044	TiWorker.exe
Token: SeSecurityPrivilege	2044	TiWorker.exe
Token: SeBackupPrivilege	2044	TiWorker.exe
Token: SeRestorePrivilege	2044	TiWorker.exe
Token: SeSecurityPrivilege	2044	TiWorker.exe
Token: SeBackupPrivilege	2044	TiWorker.exe
Token: SeRestorePrivilege	2044	TiWorker.exe
Token: SeSecurityPrivilege	2044	TiWorker.exe
Token: SeBackupPrivilege	2044	TiWorker.exe
Token: SeRestorePrivilege	2044	TiWorker.exe
Token: SeSecurityPrivilege	2044	TiWorker.exe
Token: SeBackupPrivilege	2044	TiWorker.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Purchase Order FEB22_76543.exeExplorer.EXEWWAHost.exe

description	pid	process	target process
PID 3808 wrote to memory of 2220	3808	Purchase Order FEB22_76543.exe	Purchase Order FEB22_76543.exe
PID 3808 wrote to memory of 2220	3808	Purchase Order FEB22_76543.exe	Purchase Order FEB22_76543.exe
PID 3808 wrote to memory of 2220	3808	Purchase Order FEB22_76543.exe	Purchase Order FEB22_76543.exe
PID 3808 wrote to memory of 2220	3808	Purchase Order FEB22_76543.exe	Purchase Order FEB22_76543.exe
PID 3808 wrote to memory of 2220	3808	Purchase Order FEB22_76543.exe	Purchase Order FEB22_76543.exe
PID 3808 wrote to memory of 2220	3808	Purchase Order FEB22_76543.exe	Purchase Order FEB22_76543.exe
PID 2712 wrote to memory of 3112	2712	Explorer.EXE	WWAHost.exe
PID 2712 wrote to memory of 3112	2712	Explorer.EXE	WWAHost.exe
PID 2712 wrote to memory of 3112	2712	Explorer.EXE	WWAHost.exe
PID 3112 wrote to memory of 2008	3112	WWAHost.exe	cmd.exe
PID 3112 wrote to memory of 2008	3112	WWAHost.exe	cmd.exe
PID 3112 wrote to memory of 2008	3112	WWAHost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Local\Temp\Purchase Order FEB22_76543.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order FEB22_76543.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3808

C:\Users\Admin\AppData\Local\Temp\Purchase Order FEB22_76543.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2220

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order FEB22_76543.exe"
3⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1548-139-0x0000024634EF0000-0x0000024634EF4000-memory.dmp

Filesize
16KB

Download
memory/1548-138-0x0000024632820000-0x0000024632830000-memory.dmp

Filesize
64KB

Download
memory/1548-137-0x0000024632170000-0x0000024632180000-memory.dmp

Filesize
64KB

Download
memory/2220-144-0x00000000013D0000-0x00000000013E1000-memory.dmp

Filesize
68KB

Download
memory/2220-143-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/2220-141-0x00000000014C0000-0x000000000180A000-memory.dmp

Filesize
3.3MB

Download
memory/2220-140-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2712-150-0x0000000007CE0000-0x0000000007D83000-memory.dmp

Filesize
652KB

Download
memory/2712-145-0x0000000007E10000-0x0000000007FAA000-memory.dmp

Filesize
1.6MB

Download
memory/3112-146-0x0000000000200000-0x00000000002DC000-memory.dmp

Filesize
880KB

Download
memory/3112-147-0x00000000008F0000-0x0000000000919000-memory.dmp

Filesize
164KB

Download
memory/3112-148-0x0000000001B50000-0x0000000001E9A000-memory.dmp

Filesize
3.3MB

Download
memory/3112-149-0x00000000018F0000-0x0000000001980000-memory.dmp

Filesize
576KB

Download
memory/3808-136-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3808-135-0x0000000004D90000-0x0000000004D9A000-memory.dmp

Filesize
40KB

Download
memory/3808-134-0x0000000004E30000-0x0000000004ECC000-memory.dmp

Filesize
624KB

Download
memory/3808-133-0x0000000004CF0000-0x0000000004D82000-memory.dmp

Filesize
584KB

Download
memory/3808-132-0x0000000074F6E000-0x0000000074F6F000-memory.dmp

Filesize
4KB

Download
memory/3808-130-0x0000000000280000-0x0000000000346000-memory.dmp

Filesize
792KB

Download
memory/3808-131-0x00000000052A0000-0x0000000005844000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads