xloader | 47d1eec257fc20c0eb9ea82fabea47f9d0a2cb5c59804bdc18bb1792f85b1a3c

General

Target

68521717.exe
Size

291KB
MD5

c3e495a5457d35b55ebb9a6d69b69f40
SHA1

270dcc86f4d1c7765380fc3920c73893a34e7633
SHA256

3cba15742d927df8dacc3b41005dfa1f8e66fbae71135782befd3e55d5aceeae
SHA512

17922f514c2b674c9e2a3db713a84eeb7237fd9b590ac24ff5463de4365853b5843cc114ac7fede237c2fce533cf96e67a87b0b998a2fd2569e7873dcec64fc8

Score

10^/10

xloader uar3 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uar3

Decoy

sgadvocats.com

mjscannabus.com

hilldaley.com

ksdollhouse.com

hotgiftboutique.com

purebloodsmeet.com

relaunched.info

cap-glove.com

productcollection.store

fulikyy.xyz

remoteaviationjobs.com

bestcleancrystal.com

virtualorganizationpartner.com

bookgocar.com

hattuafhv.quest

makonigroup.com

officecom-myaccount.com

malgorzata-lac.com

e-learningeducators.com

hygilaur.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/268-62-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/268-66-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/708-71-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

ieyjyt.exeieyjyt.exe

pid process

1872 ieyjyt.exe
268 ieyjyt.exe
Loads dropped DLL 3 IoCs

Processes:

68521717.exeieyjyt.exe

pid process

1584 68521717.exe
1584 68521717.exe
1872 ieyjyt.exe

pid	process
1872	ieyjyt.exe
268	ieyjyt.exe

pid	process
1584	68521717.exe
1584	68521717.exe
1872	ieyjyt.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ieyjyt.exeieyjyt.exesvchost.exe

description	pid	process	target process
PID 1872 set thread context of 268	1872	ieyjyt.exe	ieyjyt.exe
PID 268 set thread context of 1380	268	ieyjyt.exe	Explorer.EXE
PID 708 set thread context of 1380	708	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

ieyjyt.exesvchost.exe

pid	process
268	ieyjyt.exe
268	ieyjyt.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe
708	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1380 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

ieyjyt.exesvchost.exe

pid process

268 ieyjyt.exe
268 ieyjyt.exe
268 ieyjyt.exe
708 svchost.exe
708 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ieyjyt.exesvchost.exe

description pid process

Token: SeDebugPrivilege 268 ieyjyt.exe
Token: SeDebugPrivilege 708 svchost.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1380 Explorer.EXE
1380 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1380 Explorer.EXE
1380 Explorer.EXE

pid	process
1380	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	268	ieyjyt.exe
Token: SeDebugPrivilege	708	svchost.exe

pid	process
1380	Explorer.EXE
1380	Explorer.EXE

pid	process
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

68521717.exeieyjyt.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 1584 wrote to memory of 1872	1584	68521717.exe	ieyjyt.exe
PID 1584 wrote to memory of 1872	1584	68521717.exe	ieyjyt.exe
PID 1584 wrote to memory of 1872	1584	68521717.exe	ieyjyt.exe
PID 1584 wrote to memory of 1872	1584	68521717.exe	ieyjyt.exe
PID 1872 wrote to memory of 268	1872	ieyjyt.exe	ieyjyt.exe
PID 1872 wrote to memory of 268	1872	ieyjyt.exe	ieyjyt.exe
PID 1872 wrote to memory of 268	1872	ieyjyt.exe	ieyjyt.exe
PID 1872 wrote to memory of 268	1872	ieyjyt.exe	ieyjyt.exe
PID 1872 wrote to memory of 268	1872	ieyjyt.exe	ieyjyt.exe
PID 1872 wrote to memory of 268	1872	ieyjyt.exe	ieyjyt.exe
PID 1872 wrote to memory of 268	1872	ieyjyt.exe	ieyjyt.exe
PID 1380 wrote to memory of 708	1380	Explorer.EXE	svchost.exe
PID 1380 wrote to memory of 708	1380	Explorer.EXE	svchost.exe
PID 1380 wrote to memory of 708	1380	Explorer.EXE	svchost.exe
PID 1380 wrote to memory of 708	1380	Explorer.EXE	svchost.exe
PID 708 wrote to memory of 1392	708	svchost.exe	cmd.exe
PID 708 wrote to memory of 1392	708	svchost.exe	cmd.exe
PID 708 wrote to memory of 1392	708	svchost.exe	cmd.exe
PID 708 wrote to memory of 1392	708	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\68521717.exe
"C:\Users\Admin\AppData\Local\Temp\68521717.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\ieyjyt.exe
C:\Users\Admin\AppData\Local\Temp\ieyjyt.exe C:\Users\Admin\AppData\Local\Temp\eixmavz
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Temp\ieyjyt.exe
C:\Users\Admin\AppData\Local\Temp\ieyjyt.exe C:\Users\Admin\AppData\Local\Temp\eixmavz
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:708

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ieyjyt.exe"
3⤵
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1kelwizjd26i2b39d
MD5
4d8d56bc68ac9d3f0fd07da48fb09d45

SHA1
6e613039c39c9054c50bdd1f7add44abbe294d44

SHA256
05a3aaa02de0e4dcc8ec953c7f2af4801aa6511667e1ecff9ffc412a9877e508

SHA512
4ff8435a7ad4d2624a96707dc80029db7dd6012f193e1213eac3a7a837f443512227cf0630f6a23ddf9132efa84f8fe71f1a4a3e4d75242e066b127379cc6810

Download Submit
C:\Users\Admin\AppData\Local\Temp\eixmavz
MD5
a0ea25f18db709ae463effbbdddd822e

SHA1
be778031717f4ebbb9d0a6e0e6939a49efa691fc

SHA256
f8ed3e230b3c978498fada768aa2caea599f530f1c9eccb9701800eff18dd1e6

SHA512
bd9ea6ba1e80b51173711fec920ef1b507793e56008046cf2ba877d8b0c088d0c99ae414fc4f5d77cfad2d7f118b52dcb2acb9a99fdcc260efd2788bc8a99926

Download Submit
C:\Users\Admin\AppData\Local\Temp\ieyjyt.exe
MD5
bc3d93f29a29ac6fc1d17b3875b745ca

SHA1
63661516467f1125f025443cda2d55522b580134

SHA256
11710934d6922fb486b6d1300536dc30045d77d00238b6b0ff7001fa4c932b92

SHA512
6db6759c679ff893046f8270bc0596fb6da6f68addb7f06ce8b066987373a253ed918737266a42a5d90c61f509f34da31ee581a9d748bfb0af2e3302175445f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ieyjyt.exe
MD5
bc3d93f29a29ac6fc1d17b3875b745ca

SHA1
63661516467f1125f025443cda2d55522b580134

SHA256
11710934d6922fb486b6d1300536dc30045d77d00238b6b0ff7001fa4c932b92

SHA512
6db6759c679ff893046f8270bc0596fb6da6f68addb7f06ce8b066987373a253ed918737266a42a5d90c61f509f34da31ee581a9d748bfb0af2e3302175445f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ieyjyt.exe
MD5
bc3d93f29a29ac6fc1d17b3875b745ca

SHA1
63661516467f1125f025443cda2d55522b580134

SHA256
11710934d6922fb486b6d1300536dc30045d77d00238b6b0ff7001fa4c932b92

SHA512
6db6759c679ff893046f8270bc0596fb6da6f68addb7f06ce8b066987373a253ed918737266a42a5d90c61f509f34da31ee581a9d748bfb0af2e3302175445f8

Download Submit
\Users\Admin\AppData\Local\Temp\ieyjyt.exe
MD5
bc3d93f29a29ac6fc1d17b3875b745ca

SHA1
63661516467f1125f025443cda2d55522b580134

SHA256
11710934d6922fb486b6d1300536dc30045d77d00238b6b0ff7001fa4c932b92

SHA512
6db6759c679ff893046f8270bc0596fb6da6f68addb7f06ce8b066987373a253ed918737266a42a5d90c61f509f34da31ee581a9d748bfb0af2e3302175445f8

Download Submit
\Users\Admin\AppData\Local\Temp\ieyjyt.exe
MD5
bc3d93f29a29ac6fc1d17b3875b745ca

SHA1
63661516467f1125f025443cda2d55522b580134

SHA256
11710934d6922fb486b6d1300536dc30045d77d00238b6b0ff7001fa4c932b92

SHA512
6db6759c679ff893046f8270bc0596fb6da6f68addb7f06ce8b066987373a253ed918737266a42a5d90c61f509f34da31ee581a9d748bfb0af2e3302175445f8

Download Submit
\Users\Admin\AppData\Local\Temp\ieyjyt.exe
MD5
bc3d93f29a29ac6fc1d17b3875b745ca

SHA1
63661516467f1125f025443cda2d55522b580134

SHA256
11710934d6922fb486b6d1300536dc30045d77d00238b6b0ff7001fa4c932b92

SHA512
6db6759c679ff893046f8270bc0596fb6da6f68addb7f06ce8b066987373a253ed918737266a42a5d90c61f509f34da31ee581a9d748bfb0af2e3302175445f8

Download Submit
memory/268-65-0x0000000000850000-0x0000000000B53000-memory.dmp

Filesize
3.0MB

Download
memory/268-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/268-66-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/268-67-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/268-68-0x0000000000110000-0x0000000000121000-memory.dmp

Filesize
68KB

Download
memory/708-70-0x00000000008A0000-0x00000000008A8000-memory.dmp

Filesize
32KB

Download
memory/708-71-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/708-72-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download
memory/708-73-0x0000000000570000-0x0000000000600000-memory.dmp

Filesize
576KB

Download
memory/1380-69-0x0000000006A70000-0x0000000006BD3000-memory.dmp

Filesize
1.4MB

Download
memory/1380-74-0x0000000006500000-0x00000000065F9000-memory.dmp

Filesize
996KB

Download
memory/1584-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads