xloader | 508cb22224be3ffe5f189767b150490b717fdfbbdea4ea41c3a1add4ecfe7730

General

Target

tmp.exe
Size

520KB
MD5

47811f527386f1024081701f3812deb7
SHA1

16934d7dbc4ad5f583f3721e180c0669a57c5c84
SHA256

508cb22224be3ffe5f189767b150490b717fdfbbdea4ea41c3a1add4ecfe7730
SHA512

df060d3d595f6da2a25f54c8ecf4398bbe83c3bc39f15c258f3a984a77578389019095355f082adb9a4921390bf53c2c06b098cb7a9639ef1c13cc343fcc4f03

Score

10^/10

xloader r87g loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

r87g

Decoy

gzjyjzsj.com

rapibest.com

affordablebathroomsbyfrank.net

roboruben.com

xn--dlisucr-byag.com

encoreasso.com

piscire.com

dixiebusybee.com

newrome.xyz

sunshinejon.com

glacierforfcs.xyz

borhanmarket.com

tous-des-cons.club

hsfstea.com

spiniform.info

vaicomfibra.com

shinigami.xyz

kryptoindia.com

listentoappetite.com

securepplpay.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3868-142-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1800-160-0x0000000001360000-0x0000000001389000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

tmp.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation tmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	tmp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmp.exetmp.execmd.exe

description	pid	process	target process
PID 908 set thread context of 3868	908	tmp.exe	tmp.exe
PID 3868 set thread context of 2636	3868	tmp.exe	Explorer.EXE
PID 1800 set thread context of 2636	1800	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

764 schtasks.exe

pid	process
764	schtasks.exe

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

powershell.exetmp.execmd.exe

pid	process
1624	powershell.exe
1624	powershell.exe
3868	tmp.exe
3868	tmp.exe
3868	tmp.exe
3868	tmp.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe
1800	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2636 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

tmp.execmd.exe

pid process

3868 tmp.exe
3868 tmp.exe
3868 tmp.exe
1800 cmd.exe
1800 cmd.exe

pid	process
2636	Explorer.EXE

pid	process
3868	tmp.exe
3868	tmp.exe
3868	tmp.exe
1800	cmd.exe
1800	cmd.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exetmp.execmd.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	3868	tmp.exe
Token: SeDebugPrivilege	1800	cmd.exe
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE
Token: SeShutdownPrivilege	2636	Explorer.EXE
Token: SeCreatePagefilePrivilege	2636	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

tmp.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 908 wrote to memory of 1624	908	tmp.exe	powershell.exe
PID 908 wrote to memory of 1624	908	tmp.exe	powershell.exe
PID 908 wrote to memory of 1624	908	tmp.exe	powershell.exe
PID 908 wrote to memory of 764	908	tmp.exe	schtasks.exe
PID 908 wrote to memory of 764	908	tmp.exe	schtasks.exe
PID 908 wrote to memory of 764	908	tmp.exe	schtasks.exe
PID 908 wrote to memory of 3868	908	tmp.exe	tmp.exe
PID 908 wrote to memory of 3868	908	tmp.exe	tmp.exe
PID 908 wrote to memory of 3868	908	tmp.exe	tmp.exe
PID 908 wrote to memory of 3868	908	tmp.exe	tmp.exe
PID 908 wrote to memory of 3868	908	tmp.exe	tmp.exe
PID 908 wrote to memory of 3868	908	tmp.exe	tmp.exe
PID 2636 wrote to memory of 1800	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 1800	2636	Explorer.EXE	cmd.exe
PID 2636 wrote to memory of 1800	2636	Explorer.EXE	cmd.exe
PID 1800 wrote to memory of 3820	1800	cmd.exe	cmd.exe
PID 1800 wrote to memory of 3820	1800	cmd.exe	cmd.exe
PID 1800 wrote to memory of 3820	1800	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QuPVQiTftBFHdL.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QuPVQiTftBFHdL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp39FC.tmp"
3⤵
- Creates scheduled task(s)
PID:764

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
PID:3820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp39FC.tmp
Filesize
1KB

MD5
8d15587bc624dcbc5fa7c90ae33df1a7

SHA1
9436670c8a6ae09e4ddc26394d1f67982909be9a

SHA256
534644cfc2aebd9f01a079622cb9de4f46799ffd910a1a26bdc38241473673e5

SHA512
c2d80da487f2fc0a029a8aa423bd74d8cf34b49e399226c095dd1a4c03ca96271fd6a3970534893354106bf94f7fc99339f994474f0bfe5f9041efe75dca5a7d

Download Submit
memory/764-137-0x0000000000000000-mapping.dmp

Download
memory/908-131-0x0000000005A80000-0x0000000006024000-memory.dmp

Filesize
5.6MB

Download
memory/908-132-0x00000000053F0000-0x0000000005482000-memory.dmp

Filesize
584KB

Download
memory/908-133-0x0000000005600000-0x000000000569C000-memory.dmp

Filesize
624KB

Download
memory/908-134-0x00000000054A0000-0x00000000054AA000-memory.dmp

Filesize
40KB

Download
memory/908-135-0x0000000007C30000-0x0000000007C96000-memory.dmp

Filesize
408KB

Download
memory/908-130-0x00000000009D0000-0x0000000000A52000-memory.dmp

Filesize
520KB

Download
memory/1624-144-0x0000000005F70000-0x0000000005FD6000-memory.dmp

Filesize
408KB

Download
memory/1624-150-0x0000000006BC0000-0x0000000006BF2000-memory.dmp

Filesize
200KB

Download
memory/1624-140-0x0000000005940000-0x0000000005F68000-memory.dmp

Filesize
6.2MB

Download
memory/1624-156-0x0000000007BA0000-0x0000000007C36000-memory.dmp

Filesize
600KB

Download
memory/1624-164-0x0000000007C40000-0x0000000007C48000-memory.dmp

Filesize
32KB

Download
memory/1624-143-0x00000000056D0000-0x00000000056F2000-memory.dmp

Filesize
136KB

Download
memory/1624-161-0x0000000007B50000-0x0000000007B5E000-memory.dmp

Filesize
56KB

Download
memory/1624-146-0x0000000006620000-0x000000000663E000-memory.dmp

Filesize
120KB

Download
memory/1624-163-0x0000000007C60000-0x0000000007C7A000-memory.dmp

Filesize
104KB

Download
memory/1624-155-0x0000000007990000-0x000000000799A000-memory.dmp

Filesize
40KB

Download
memory/1624-136-0x0000000000000000-mapping.dmp

Download
memory/1624-138-0x0000000002D50000-0x0000000002D86000-memory.dmp

Filesize
216KB

Download
memory/1624-151-0x0000000071600000-0x000000007164C000-memory.dmp

Filesize
304KB

Download
memory/1624-152-0x0000000006BA0000-0x0000000006BBE000-memory.dmp

Filesize
120KB

Download
memory/1624-153-0x0000000007F60000-0x00000000085DA000-memory.dmp

Filesize
6.5MB

Download
memory/1624-154-0x0000000007920000-0x000000000793A000-memory.dmp

Filesize
104KB

Download
memory/1800-162-0x0000000001C20000-0x0000000001F6A000-memory.dmp

Filesize
3.3MB

Download
memory/1800-165-0x0000000001AF0000-0x0000000001B80000-memory.dmp

Filesize
576KB

Download
memory/1800-157-0x0000000000000000-mapping.dmp

Download
memory/1800-160-0x0000000001360000-0x0000000001389000-memory.dmp

Filesize
164KB

Download
memory/1800-159-0x0000000000D40000-0x0000000000D9A000-memory.dmp

Filesize
360KB

Download
memory/2636-149-0x0000000002BC0000-0x0000000002C6C000-memory.dmp

Filesize
688KB

Download
memory/2636-166-0x0000000007470000-0x00000000075B5000-memory.dmp

Filesize
1.3MB

Download
memory/3820-158-0x0000000000000000-mapping.dmp

Download
memory/3868-148-0x0000000000F90000-0x0000000000FA1000-memory.dmp

Filesize
68KB

Download
memory/3868-147-0x0000000001520000-0x000000000186A000-memory.dmp

Filesize
3.3MB

Download
memory/3868-142-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3868-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads