xloader | 47d1eec257fc20c0eb9ea82fabea47f9d0a2cb5c59804bdc18bb1792f85b1a3c

General

Target

68521717.exe
Size

291KB
MD5

c3e495a5457d35b55ebb9a6d69b69f40
SHA1

270dcc86f4d1c7765380fc3920c73893a34e7633
SHA256

3cba15742d927df8dacc3b41005dfa1f8e66fbae71135782befd3e55d5aceeae
SHA512

17922f514c2b674c9e2a3db713a84eeb7237fd9b590ac24ff5463de4365853b5843cc114ac7fede237c2fce533cf96e67a87b0b998a2fd2569e7873dcec64fc8

Score

10^/10

xloader uar3 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uar3

Decoy

sgadvocats.com

mjscannabus.com

hilldaley.com

ksdollhouse.com

hotgiftboutique.com

purebloodsmeet.com

relaunched.info

cap-glove.com

productcollection.store

fulikyy.xyz

remoteaviationjobs.com

bestcleancrystal.com

virtualorganizationpartner.com

bookgocar.com

hattuafhv.quest

makonigroup.com

officecom-myaccount.com

malgorzata-lac.com

e-learningeducators.com

hygilaur.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5036-134-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1176-143-0x0000000000E90000-0x0000000000EB9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

ieyjyt.exeieyjyt.exe

pid process

1480 ieyjyt.exe
5036 ieyjyt.exe

pid	process
1480	ieyjyt.exe
5036	ieyjyt.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ieyjyt.exeieyjyt.exerundll32.exe

description	pid	process	target process
PID 1480 set thread context of 5036	1480	ieyjyt.exe	ieyjyt.exe
PID 5036 set thread context of 3044	5036	ieyjyt.exe	Explorer.EXE
PID 1176 set thread context of 3044	1176	rundll32.exe	Explorer.EXE

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

ieyjyt.exerundll32.exe

pid	process
5036	ieyjyt.exe
5036	ieyjyt.exe
5036	ieyjyt.exe
5036	ieyjyt.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3044 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

ieyjyt.exerundll32.exe

pid process

5036 ieyjyt.exe
5036 ieyjyt.exe
5036 ieyjyt.exe
1176 rundll32.exe
1176 rundll32.exe

pid	process
3044	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

ieyjyt.exerundll32.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	5036	ieyjyt.exe
Token: SeDebugPrivilege	1176	rundll32.exe
Token: SeShutdownPrivilege	4684	svchost.exe
Token: SeCreatePagefilePrivilege	4684	svchost.exe
Token: SeShutdownPrivilege	4684	svchost.exe
Token: SeCreatePagefilePrivilege	4684	svchost.exe
Token: SeShutdownPrivilege	4684	svchost.exe
Token: SeCreatePagefilePrivilege	4684	svchost.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

68521717.exeieyjyt.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 4784 wrote to memory of 1480	4784	68521717.exe	ieyjyt.exe
PID 4784 wrote to memory of 1480	4784	68521717.exe	ieyjyt.exe
PID 4784 wrote to memory of 1480	4784	68521717.exe	ieyjyt.exe
PID 1480 wrote to memory of 5036	1480	ieyjyt.exe	ieyjyt.exe
PID 1480 wrote to memory of 5036	1480	ieyjyt.exe	ieyjyt.exe
PID 1480 wrote to memory of 5036	1480	ieyjyt.exe	ieyjyt.exe
PID 1480 wrote to memory of 5036	1480	ieyjyt.exe	ieyjyt.exe
PID 1480 wrote to memory of 5036	1480	ieyjyt.exe	ieyjyt.exe
PID 1480 wrote to memory of 5036	1480	ieyjyt.exe	ieyjyt.exe
PID 3044 wrote to memory of 1176	3044	Explorer.EXE	rundll32.exe
PID 3044 wrote to memory of 1176	3044	Explorer.EXE	rundll32.exe
PID 3044 wrote to memory of 1176	3044	Explorer.EXE	rundll32.exe
PID 1176 wrote to memory of 3468	1176	rundll32.exe	cmd.exe
PID 1176 wrote to memory of 3468	1176	rundll32.exe	cmd.exe
PID 1176 wrote to memory of 3468	1176	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\68521717.exe
"C:\Users\Admin\AppData\Local\Temp\68521717.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4784

C:\Users\Admin\AppData\Local\Temp\ieyjyt.exe
C:\Users\Admin\AppData\Local\Temp\ieyjyt.exe C:\Users\Admin\AppData\Local\Temp\eixmavz
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Local\Temp\ieyjyt.exe
C:\Users\Admin\AppData\Local\Temp\ieyjyt.exe C:\Users\Admin\AppData\Local\Temp\eixmavz
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1952

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4724

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:5024

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3740

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2620

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:5068

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:700

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3036

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ieyjyt.exe"
3⤵
PID:3468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1kelwizjd26i2b39d
MD5
4d8d56bc68ac9d3f0fd07da48fb09d45

SHA1
6e613039c39c9054c50bdd1f7add44abbe294d44

SHA256
05a3aaa02de0e4dcc8ec953c7f2af4801aa6511667e1ecff9ffc412a9877e508

SHA512
4ff8435a7ad4d2624a96707dc80029db7dd6012f193e1213eac3a7a837f443512227cf0630f6a23ddf9132efa84f8fe71f1a4a3e4d75242e066b127379cc6810

Download Submit
C:\Users\Admin\AppData\Local\Temp\eixmavz
MD5
a0ea25f18db709ae463effbbdddd822e

SHA1
be778031717f4ebbb9d0a6e0e6939a49efa691fc

SHA256
f8ed3e230b3c978498fada768aa2caea599f530f1c9eccb9701800eff18dd1e6

SHA512
bd9ea6ba1e80b51173711fec920ef1b507793e56008046cf2ba877d8b0c088d0c99ae414fc4f5d77cfad2d7f118b52dcb2acb9a99fdcc260efd2788bc8a99926

Download Submit
C:\Users\Admin\AppData\Local\Temp\ieyjyt.exe
MD5
bc3d93f29a29ac6fc1d17b3875b745ca

SHA1
63661516467f1125f025443cda2d55522b580134

SHA256
11710934d6922fb486b6d1300536dc30045d77d00238b6b0ff7001fa4c932b92

SHA512
6db6759c679ff893046f8270bc0596fb6da6f68addb7f06ce8b066987373a253ed918737266a42a5d90c61f509f34da31ee581a9d748bfb0af2e3302175445f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ieyjyt.exe
MD5
bc3d93f29a29ac6fc1d17b3875b745ca

SHA1
63661516467f1125f025443cda2d55522b580134

SHA256
11710934d6922fb486b6d1300536dc30045d77d00238b6b0ff7001fa4c932b92

SHA512
6db6759c679ff893046f8270bc0596fb6da6f68addb7f06ce8b066987373a253ed918737266a42a5d90c61f509f34da31ee581a9d748bfb0af2e3302175445f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ieyjyt.exe
MD5
bc3d93f29a29ac6fc1d17b3875b745ca

SHA1
63661516467f1125f025443cda2d55522b580134

SHA256
11710934d6922fb486b6d1300536dc30045d77d00238b6b0ff7001fa4c932b92

SHA512
6db6759c679ff893046f8270bc0596fb6da6f68addb7f06ce8b066987373a253ed918737266a42a5d90c61f509f34da31ee581a9d748bfb0af2e3302175445f8

Download Submit
memory/1176-144-0x0000000002D50000-0x000000000309A000-memory.dmp

Filesize
3.3MB

Download
memory/1176-142-0x0000000000740000-0x0000000000754000-memory.dmp

Filesize
80KB

Download
memory/1176-145-0x0000000002BB0000-0x0000000002C40000-memory.dmp

Filesize
576KB

Download
memory/1176-143-0x0000000000E90000-0x0000000000EB9000-memory.dmp

Filesize
164KB

Download
memory/1480-135-0x0000000000A70000-0x0000000000A72000-memory.dmp

Filesize
8KB

Download
memory/3044-146-0x00000000080F0000-0x00000000081A8000-memory.dmp

Filesize
736KB

Download
memory/3044-141-0x0000000002B70000-0x0000000002C2E000-memory.dmp

Filesize
760KB

Download
memory/4684-148-0x000001DC210F0000-0x000001DC21100000-memory.dmp

Filesize
64KB

Download
memory/4684-147-0x000001DC209A0000-0x000001DC209B0000-memory.dmp

Filesize
64KB

Download
memory/4684-149-0x000001DC23620000-0x000001DC23624000-memory.dmp

Filesize
16KB

Download
memory/5036-140-0x00000000015D0000-0x00000000015E1000-memory.dmp

Filesize
68KB

Download
memory/5036-138-0x0000000001730000-0x0000000001A7A000-memory.dmp

Filesize
3.3MB

Download
memory/5036-139-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/5036-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads