xloader | de84eba1dbe2c9b339c91d9f90180478b3e84a190f566d3c667d6490caa92601

General

Target

Order-317585122-pdf.exe
Size

291KB
MD5

67e35aa265604077c05cb33ce4faacac
SHA1

8bfd5d51b8416fb747e4c486b9c9691b28b47bcd
SHA256

de84eba1dbe2c9b339c91d9f90180478b3e84a190f566d3c667d6490caa92601
SHA512

a4867eb2efd3c44a941fa136d46b0d4bc024d99de60af70c07e11739c398f50e0309a3207889e8e64030ddefeeb68995f7cc6058fa3c183c535392795acb89b8

Score

10^/10

xloader uar3 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uar3

Decoy

sgadvocats.com

mjscannabus.com

hilldaley.com

ksdollhouse.com

hotgiftboutique.com

purebloodsmeet.com

relaunched.info

cap-glove.com

productcollection.store

fulikyy.xyz

remoteaviationjobs.com

bestcleancrystal.com

virtualorganizationpartner.com

bookgocar.com

hattuafhv.quest

makonigroup.com

officecom-myaccount.com

malgorzata-lac.com

e-learningeducators.com

hygilaur.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1332-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1332-66-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1472-72-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

zopxdxewlg.exezopxdxewlg.exe

pid process

1252 zopxdxewlg.exe
1332 zopxdxewlg.exe
Loads dropped DLL 2 IoCs

Processes:

Order-317585122-pdf.exezopxdxewlg.exe

pid process

604 Order-317585122-pdf.exe
1252 zopxdxewlg.exe

pid	process
1252	zopxdxewlg.exe
1332	zopxdxewlg.exe

pid	process
604	Order-317585122-pdf.exe
1252	zopxdxewlg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

zopxdxewlg.exezopxdxewlg.exechkdsk.exe

description	pid	process	target process
PID 1252 set thread context of 1332	1252	zopxdxewlg.exe	zopxdxewlg.exe
PID 1332 set thread context of 1232	1332	zopxdxewlg.exe	Explorer.EXE
PID 1472 set thread context of 1232	1472	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

zopxdxewlg.exechkdsk.exe

pid	process
1332	zopxdxewlg.exe
1332	zopxdxewlg.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe
1472	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

zopxdxewlg.exechkdsk.exe

pid process

1332 zopxdxewlg.exe
1332 zopxdxewlg.exe
1332 zopxdxewlg.exe
1472 chkdsk.exe
1472 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

zopxdxewlg.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 1332 zopxdxewlg.exe
Token: SeDebugPrivilege 1472 chkdsk.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE

pid	process
1232	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1332	zopxdxewlg.exe
Token: SeDebugPrivilege	1472	chkdsk.exe

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Order-317585122-pdf.exezopxdxewlg.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 604 wrote to memory of 1252	604	Order-317585122-pdf.exe	zopxdxewlg.exe
PID 604 wrote to memory of 1252	604	Order-317585122-pdf.exe	zopxdxewlg.exe
PID 604 wrote to memory of 1252	604	Order-317585122-pdf.exe	zopxdxewlg.exe
PID 604 wrote to memory of 1252	604	Order-317585122-pdf.exe	zopxdxewlg.exe
PID 1252 wrote to memory of 1332	1252	zopxdxewlg.exe	zopxdxewlg.exe
PID 1252 wrote to memory of 1332	1252	zopxdxewlg.exe	zopxdxewlg.exe
PID 1252 wrote to memory of 1332	1252	zopxdxewlg.exe	zopxdxewlg.exe
PID 1252 wrote to memory of 1332	1252	zopxdxewlg.exe	zopxdxewlg.exe
PID 1252 wrote to memory of 1332	1252	zopxdxewlg.exe	zopxdxewlg.exe
PID 1252 wrote to memory of 1332	1252	zopxdxewlg.exe	zopxdxewlg.exe
PID 1252 wrote to memory of 1332	1252	zopxdxewlg.exe	zopxdxewlg.exe
PID 1232 wrote to memory of 1472	1232	Explorer.EXE	chkdsk.exe
PID 1232 wrote to memory of 1472	1232	Explorer.EXE	chkdsk.exe
PID 1232 wrote to memory of 1472	1232	Explorer.EXE	chkdsk.exe
PID 1232 wrote to memory of 1472	1232	Explorer.EXE	chkdsk.exe
PID 1472 wrote to memory of 1544	1472	chkdsk.exe	cmd.exe
PID 1472 wrote to memory of 1544	1472	chkdsk.exe	cmd.exe
PID 1472 wrote to memory of 1544	1472	chkdsk.exe	cmd.exe
PID 1472 wrote to memory of 1544	1472	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\Order-317585122-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Order-317585122-pdf.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:604

C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe
C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe C:\Users\Admin\AppData\Local\Temp\ehrzs
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe
C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe C:\Users\Admin\AppData\Local\Temp\ehrzs
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe"
3⤵
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1fbn5v0s8c6lcdpx
MD5
933f76aef373e9a8849662974af05cad

SHA1
98a413ca0863374f07391b2486ac867d511f1e88

SHA256
e7a37f91578fdfa04ba84b3c036b68b42735e5c358c57473bbbbdf82cb5955ce

SHA512
3c28a1e868fa3529bc9a0da72855e4c0f4b55cd9968d6d551f42ed493fe7358a77a60b92e403a9ea0886c0e2e16fd231120e54f2a2ae79b21fceccebe058f013

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehrzs
MD5
852d3f916eeb8a1af5a2a998473f9d13

SHA1
1e51dfce7f29835de4a0e5ee4578d22161003fa8

SHA256
d415c8fe1b3399662f62564c1c981a62e6e4b2658880fd9483baf670a5e284cd

SHA512
56dd13a9ff6e4e6a65a56441d7c94f36b47dfa765755c84d69f36878103fcbf9d23f0203ef6c68a0e53df66f8deafa99c331276ff320ec30c488111dcdfbcafc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe
MD5
0a5906255c645c41ba209449c4ae3429

SHA1
21f3c28d9d3452b0ff5e972b7a4a93ec29214b6b

SHA256
52567b34523dafeed31b34cd5e72f9c746ef639e17317bbbe0e6e01e7ea9b47e

SHA512
ef805d887e4ca2b599c3efca5ed475f4e0d4ab6dc2ae3544fd98ac059239b4b8066a2a09759fd90fb7fa8833e8720612790c8ef1839a27ab5d352f8a67f9fa83

Download Submit
C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe
MD5
0a5906255c645c41ba209449c4ae3429

SHA1
21f3c28d9d3452b0ff5e972b7a4a93ec29214b6b

SHA256
52567b34523dafeed31b34cd5e72f9c746ef639e17317bbbe0e6e01e7ea9b47e

SHA512
ef805d887e4ca2b599c3efca5ed475f4e0d4ab6dc2ae3544fd98ac059239b4b8066a2a09759fd90fb7fa8833e8720612790c8ef1839a27ab5d352f8a67f9fa83

Download Submit
C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe
MD5
0a5906255c645c41ba209449c4ae3429

SHA1
21f3c28d9d3452b0ff5e972b7a4a93ec29214b6b

SHA256
52567b34523dafeed31b34cd5e72f9c746ef639e17317bbbe0e6e01e7ea9b47e

SHA512
ef805d887e4ca2b599c3efca5ed475f4e0d4ab6dc2ae3544fd98ac059239b4b8066a2a09759fd90fb7fa8833e8720612790c8ef1839a27ab5d352f8a67f9fa83

Download Submit
\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe
MD5
0a5906255c645c41ba209449c4ae3429

SHA1
21f3c28d9d3452b0ff5e972b7a4a93ec29214b6b

SHA256
52567b34523dafeed31b34cd5e72f9c746ef639e17317bbbe0e6e01e7ea9b47e

SHA512
ef805d887e4ca2b599c3efca5ed475f4e0d4ab6dc2ae3544fd98ac059239b4b8066a2a09759fd90fb7fa8833e8720612790c8ef1839a27ab5d352f8a67f9fa83

Download Submit
\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe
MD5
0a5906255c645c41ba209449c4ae3429

SHA1
21f3c28d9d3452b0ff5e972b7a4a93ec29214b6b

SHA256
52567b34523dafeed31b34cd5e72f9c746ef639e17317bbbe0e6e01e7ea9b47e

SHA512
ef805d887e4ca2b599c3efca5ed475f4e0d4ab6dc2ae3544fd98ac059239b4b8066a2a09759fd90fb7fa8833e8720612790c8ef1839a27ab5d352f8a67f9fa83

Download Submit
memory/604-55-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download
memory/1232-70-0x0000000004CC0000-0x0000000004DA4000-memory.dmp

Filesize
912KB

Download
memory/1232-75-0x0000000003F50000-0x000000000400D000-memory.dmp

Filesize
756KB

Download
memory/1252-62-0x00000000002B0000-0x00000000002B2000-memory.dmp

Filesize
8KB

Download
memory/1332-66-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1332-68-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/1332-69-0x0000000000480000-0x0000000000491000-memory.dmp

Filesize
68KB

Download
memory/1332-67-0x0000000000730000-0x0000000000A33000-memory.dmp

Filesize
3.0MB

Download
memory/1332-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1472-71-0x00000000003C0000-0x00000000003C7000-memory.dmp

Filesize
28KB

Download
memory/1472-72-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1472-73-0x0000000001F80000-0x0000000002283000-memory.dmp

Filesize
3.0MB

Download
memory/1472-74-0x0000000001E20000-0x0000000001EB0000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads