xloader | de84eba1dbe2c9b339c91d9f90180478b3e84a190f566d3c667d6490caa92601

General

Target

Order-317585122-pdf.exe
Size

291KB
MD5

67e35aa265604077c05cb33ce4faacac
SHA1

8bfd5d51b8416fb747e4c486b9c9691b28b47bcd
SHA256

de84eba1dbe2c9b339c91d9f90180478b3e84a190f566d3c667d6490caa92601
SHA512

a4867eb2efd3c44a941fa136d46b0d4bc024d99de60af70c07e11739c398f50e0309a3207889e8e64030ddefeeb68995f7cc6058fa3c183c535392795acb89b8

Score

10^/10

xloader uar3 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uar3

Decoy

sgadvocats.com

mjscannabus.com

hilldaley.com

ksdollhouse.com

hotgiftboutique.com

purebloodsmeet.com

relaunched.info

cap-glove.com

productcollection.store

fulikyy.xyz

remoteaviationjobs.com

bestcleancrystal.com

virtualorganizationpartner.com

bookgocar.com

hattuafhv.quest

makonigroup.com

officecom-myaccount.com

malgorzata-lac.com

e-learningeducators.com

hygilaur.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4556-135-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4556-138-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2504-144-0x00000000006F0000-0x0000000000719000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

zopxdxewlg.exezopxdxewlg.exe

pid process

4612 zopxdxewlg.exe
4556 zopxdxewlg.exe

pid	process
4612	zopxdxewlg.exe
4556	zopxdxewlg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

zopxdxewlg.exezopxdxewlg.execmstp.exe

description	pid	process	target process
PID 4612 set thread context of 4556	4612	zopxdxewlg.exe	zopxdxewlg.exe
PID 4556 set thread context of 3024	4556	zopxdxewlg.exe	Explorer.EXE
PID 2504 set thread context of 3024	2504	cmstp.exe	Explorer.EXE

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

zopxdxewlg.execmstp.exe

pid	process
4556	zopxdxewlg.exe
4556	zopxdxewlg.exe
4556	zopxdxewlg.exe
4556	zopxdxewlg.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe
2504	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3024 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

zopxdxewlg.execmstp.exe

pid process

4556 zopxdxewlg.exe
4556 zopxdxewlg.exe
4556 zopxdxewlg.exe
2504 cmstp.exe
2504 cmstp.exe

pid	process
3024	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

zopxdxewlg.execmstp.exesvchost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4556	zopxdxewlg.exe
Token: SeDebugPrivilege	2504	cmstp.exe
Token: SeShutdownPrivilege	2068	svchost.exe
Token: SeCreatePagefilePrivilege	2068	svchost.exe
Token: SeShutdownPrivilege	2068	svchost.exe
Token: SeCreatePagefilePrivilege	2068	svchost.exe
Token: SeShutdownPrivilege	2068	svchost.exe
Token: SeCreatePagefilePrivilege	2068	svchost.exe
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Order-317585122-pdf.exezopxdxewlg.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 4680 wrote to memory of 4612	4680	Order-317585122-pdf.exe	zopxdxewlg.exe
PID 4680 wrote to memory of 4612	4680	Order-317585122-pdf.exe	zopxdxewlg.exe
PID 4680 wrote to memory of 4612	4680	Order-317585122-pdf.exe	zopxdxewlg.exe
PID 4612 wrote to memory of 4556	4612	zopxdxewlg.exe	zopxdxewlg.exe
PID 4612 wrote to memory of 4556	4612	zopxdxewlg.exe	zopxdxewlg.exe
PID 4612 wrote to memory of 4556	4612	zopxdxewlg.exe	zopxdxewlg.exe
PID 4612 wrote to memory of 4556	4612	zopxdxewlg.exe	zopxdxewlg.exe
PID 4612 wrote to memory of 4556	4612	zopxdxewlg.exe	zopxdxewlg.exe
PID 4612 wrote to memory of 4556	4612	zopxdxewlg.exe	zopxdxewlg.exe
PID 3024 wrote to memory of 2504	3024	Explorer.EXE	cmstp.exe
PID 3024 wrote to memory of 2504	3024	Explorer.EXE	cmstp.exe
PID 3024 wrote to memory of 2504	3024	Explorer.EXE	cmstp.exe
PID 2504 wrote to memory of 3392	2504	cmstp.exe	cmd.exe
PID 2504 wrote to memory of 3392	2504	cmstp.exe	cmd.exe
PID 2504 wrote to memory of 3392	2504	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\Order-317585122-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Order-317585122-pdf.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4680

C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe
C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe C:\Users\Admin\AppData\Local\Temp\ehrzs
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4612

C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe
C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe C:\Users\Admin\AppData\Local\Temp\ehrzs
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe"
3⤵
PID:3392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1fbn5v0s8c6lcdpx
MD5
933f76aef373e9a8849662974af05cad

SHA1
98a413ca0863374f07391b2486ac867d511f1e88

SHA256
e7a37f91578fdfa04ba84b3c036b68b42735e5c358c57473bbbbdf82cb5955ce

SHA512
3c28a1e868fa3529bc9a0da72855e4c0f4b55cd9968d6d551f42ed493fe7358a77a60b92e403a9ea0886c0e2e16fd231120e54f2a2ae79b21fceccebe058f013

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehrzs
MD5
852d3f916eeb8a1af5a2a998473f9d13

SHA1
1e51dfce7f29835de4a0e5ee4578d22161003fa8

SHA256
d415c8fe1b3399662f62564c1c981a62e6e4b2658880fd9483baf670a5e284cd

SHA512
56dd13a9ff6e4e6a65a56441d7c94f36b47dfa765755c84d69f36878103fcbf9d23f0203ef6c68a0e53df66f8deafa99c331276ff320ec30c488111dcdfbcafc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe
MD5
0a5906255c645c41ba209449c4ae3429

SHA1
21f3c28d9d3452b0ff5e972b7a4a93ec29214b6b

SHA256
52567b34523dafeed31b34cd5e72f9c746ef639e17317bbbe0e6e01e7ea9b47e

SHA512
ef805d887e4ca2b599c3efca5ed475f4e0d4ab6dc2ae3544fd98ac059239b4b8066a2a09759fd90fb7fa8833e8720612790c8ef1839a27ab5d352f8a67f9fa83

Download Submit
C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe
MD5
0a5906255c645c41ba209449c4ae3429

SHA1
21f3c28d9d3452b0ff5e972b7a4a93ec29214b6b

SHA256
52567b34523dafeed31b34cd5e72f9c746ef639e17317bbbe0e6e01e7ea9b47e

SHA512
ef805d887e4ca2b599c3efca5ed475f4e0d4ab6dc2ae3544fd98ac059239b4b8066a2a09759fd90fb7fa8833e8720612790c8ef1839a27ab5d352f8a67f9fa83

Download Submit
C:\Users\Admin\AppData\Local\Temp\zopxdxewlg.exe
MD5
0a5906255c645c41ba209449c4ae3429

SHA1
21f3c28d9d3452b0ff5e972b7a4a93ec29214b6b

SHA256
52567b34523dafeed31b34cd5e72f9c746ef639e17317bbbe0e6e01e7ea9b47e

SHA512
ef805d887e4ca2b599c3efca5ed475f4e0d4ab6dc2ae3544fd98ac059239b4b8066a2a09759fd90fb7fa8833e8720612790c8ef1839a27ab5d352f8a67f9fa83

Download Submit
memory/2068-150-0x00000270D0450000-0x00000270D0454000-memory.dmp

Filesize
16KB

Download
memory/2068-149-0x00000270CDD80000-0x00000270CDD90000-memory.dmp

Filesize
64KB

Download
memory/2068-148-0x00000270CDD20000-0x00000270CDD30000-memory.dmp

Filesize
64KB

Download
memory/2504-145-0x0000000002750000-0x0000000002A9A000-memory.dmp

Filesize
3.3MB

Download
memory/2504-146-0x00000000024B0000-0x0000000002540000-memory.dmp

Filesize
576KB

Download
memory/2504-143-0x00000000007B0000-0x00000000007C6000-memory.dmp

Filesize
88KB

Download
memory/2504-144-0x00000000006F0000-0x0000000000719000-memory.dmp

Filesize
164KB

Download
memory/3024-147-0x0000000001280000-0x0000000001313000-memory.dmp

Filesize
588KB

Download
memory/3024-142-0x0000000008D30000-0x0000000008ED8000-memory.dmp

Filesize
1.7MB

Download
memory/4556-135-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4556-141-0x00000000007E0000-0x00000000007F1000-memory.dmp

Filesize
68KB

Download
memory/4556-140-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/4556-139-0x0000000000AB0000-0x0000000000DFA000-memory.dmp

Filesize
3.3MB

Download
memory/4556-138-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-134-0x0000000000430000-0x0000000000432000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads