xloader | 8edf8a8b1972c8dd05a960b7a79a7a87c8977b69b700ab9db28bab9207b8b267

General

Target

New purchase Order.exe
Size

477KB
MD5

dd481272bd8f9e8ca40868e4a90db854
SHA1

8871b4d7173d89b539aa1b3e91139cb4c0ce744e
SHA256

8edf8a8b1972c8dd05a960b7a79a7a87c8977b69b700ab9db28bab9207b8b267
SHA512

168ed59d8f6edd7b37b44441480e59fdef67beb35487974aec59aa36852407c75d5537532f6cd0104327516fd2e0359fadb6fe56a8def782864413df341761a8

Score

10^/10

xloader a8hq loader persistence rat spyware stealer suricata

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

a8hq

Decoy

veteransductcleaning.com

beajtjunkies.com

houseofascofi.com

scottsdalemediator.com

atelyadesign.com

profitcase.pro

imtokenio.club

qinglingpai.com

bigsmile-meal.net

daytonlivestream.com

aspiradores10.online

ytybs120.com

hdatelier.com

bearpierce.com

yeson28ca.com

booklearner.com

m8j9.club

mmophamthinhlegend.space

hq4a7o6zb.com

sophiadaki.online

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4324-139-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral2/memory/4284-146-0x0000000000850000-0x000000000087B000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

New purchase Order.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	New purchase Order.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZBMLBHH8RP = "C:\\Program Files (x86)\\Fb6itazi\\dbepmbxxqnj8rbmx.exe"	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

New purchase Order.exeNew purchase Order.exesvchost.exe

description	pid	process	target process
PID 3968 set thread context of 4324	3968	New purchase Order.exe	New purchase Order.exe
PID 4324 set thread context of 3140	4324	New purchase Order.exe	Explorer.EXE
PID 4284 set thread context of 3140	4284	svchost.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Program Files (x86)\Fb6itazi\dbepmbxxqnj8rbmx.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3532 schtasks.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Fb6itazi\dbepmbxxqnj8rbmx.exe	svchost.exe

pid	process
3532	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

New purchase Order.exeNew purchase Order.exesvchost.exe

pid	process
3968	New purchase Order.exe
3968	New purchase Order.exe
3968	New purchase Order.exe
4324	New purchase Order.exe
4324	New purchase Order.exe
4324	New purchase Order.exe
4324	New purchase Order.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3140 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

New purchase Order.exesvchost.exe

pid process

4324 New purchase Order.exe
4324 New purchase Order.exe
4324 New purchase Order.exe
4284 svchost.exe
4284 svchost.exe
4284 svchost.exe

pid	process
3140	Explorer.EXE

pid	process
4324	New purchase Order.exe
4324	New purchase Order.exe
4324	New purchase Order.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

New purchase Order.exeNew purchase Order.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3968	New purchase Order.exe
Token: SeDebugPrivilege	4324	New purchase Order.exe
Token: SeDebugPrivilege	4284	svchost.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

New purchase Order.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 3968 wrote to memory of 3532	3968	New purchase Order.exe	schtasks.exe
PID 3968 wrote to memory of 3532	3968	New purchase Order.exe	schtasks.exe
PID 3968 wrote to memory of 3532	3968	New purchase Order.exe	schtasks.exe
PID 3968 wrote to memory of 4332	3968	New purchase Order.exe	New purchase Order.exe
PID 3968 wrote to memory of 4332	3968	New purchase Order.exe	New purchase Order.exe
PID 3968 wrote to memory of 4332	3968	New purchase Order.exe	New purchase Order.exe
PID 3968 wrote to memory of 4324	3968	New purchase Order.exe	New purchase Order.exe
PID 3968 wrote to memory of 4324	3968	New purchase Order.exe	New purchase Order.exe
PID 3968 wrote to memory of 4324	3968	New purchase Order.exe	New purchase Order.exe
PID 3968 wrote to memory of 4324	3968	New purchase Order.exe	New purchase Order.exe
PID 3968 wrote to memory of 4324	3968	New purchase Order.exe	New purchase Order.exe
PID 3968 wrote to memory of 4324	3968	New purchase Order.exe	New purchase Order.exe
PID 3140 wrote to memory of 4284	3140	Explorer.EXE	svchost.exe
PID 3140 wrote to memory of 4284	3140	Explorer.EXE	svchost.exe
PID 3140 wrote to memory of 4284	3140	Explorer.EXE	svchost.exe
PID 4284 wrote to memory of 5108	4284	svchost.exe	cmd.exe
PID 4284 wrote to memory of 5108	4284	svchost.exe	cmd.exe
PID 4284 wrote to memory of 5108	4284	svchost.exe	cmd.exe
PID 4284 wrote to memory of 5044	4284	svchost.exe	cmd.exe
PID 4284 wrote to memory of 5044	4284	svchost.exe	cmd.exe
PID 4284 wrote to memory of 5044	4284	svchost.exe	cmd.exe
PID 4284 wrote to memory of 2408	4284	svchost.exe	cmd.exe
PID 4284 wrote to memory of 2408	4284	svchost.exe	cmd.exe
PID 4284 wrote to memory of 2408	4284	svchost.exe	cmd.exe
PID 4284 wrote to memory of 2584	4284	svchost.exe	Firefox.exe
PID 4284 wrote to memory of 2584	4284	svchost.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3140

C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NADfrJFSUbwNu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE1C9.tmp"
3⤵
- Creates scheduled task(s)
PID:3532

C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
"{path}"
3⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe"
3⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:2408

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE1C9.tmp
Filesize
1KB

MD5
693cec7063ae8316643119c3959510df

SHA1
be146fdbca9d655c68b2c44b0fbae3ba746f4fa8

SHA256
2784a2e4f37567fff37ad56df7267af05f75a88f4a1dca9ec66a1a144e760762

SHA512
86bfd518aabbcd2f69e062f037e7b3582a4bce5ba17b70f75335a768a2b39a80c5aee0cdfd4e72cf2149ad9bf53e1002ead2bba37861ff1c9172526c4aa1ab13

Download Submit
memory/2408-153-0x0000000000000000-mapping.dmp

Download
memory/3140-143-0x0000000008040000-0x000000000818F000-memory.dmp

Filesize
1.3MB

Download
memory/3140-150-0x0000000007B60000-0x0000000007CA8000-memory.dmp

Filesize
1.3MB

Download
memory/3532-135-0x0000000000000000-mapping.dmp

Download
memory/3968-134-0x00000000053D0000-0x00000000053DA000-memory.dmp

Filesize
40KB

Download
memory/3968-131-0x00000000059F0000-0x0000000005F94000-memory.dmp

Filesize
5.6MB

Download
memory/3968-132-0x0000000005440000-0x00000000054D2000-memory.dmp

Filesize
584KB

Download
memory/3968-133-0x00000000054E0000-0x000000000557C000-memory.dmp

Filesize
624KB

Download
memory/3968-130-0x00000000009D0000-0x0000000000A4E000-memory.dmp

Filesize
504KB

Download
memory/4284-149-0x0000000000F70000-0x0000000001000000-memory.dmp

Filesize
576KB

Download
memory/4284-144-0x0000000000000000-mapping.dmp

Download
memory/4284-145-0x0000000000220000-0x000000000022E000-memory.dmp

Filesize
56KB

Download
memory/4284-146-0x0000000000850000-0x000000000087B000-memory.dmp

Filesize
172KB

Download
memory/4284-147-0x0000000001300000-0x000000000164A000-memory.dmp

Filesize
3.3MB

Download
memory/4324-139-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4324-142-0x0000000000D40000-0x0000000000D51000-memory.dmp

Filesize
68KB

Download
memory/4324-140-0x0000000001340000-0x000000000168A000-memory.dmp

Filesize
3.3MB

Download
memory/4324-138-0x0000000000000000-mapping.dmp

Download
memory/4332-137-0x0000000000000000-mapping.dmp

Download
memory/5044-151-0x0000000000000000-mapping.dmp

Download
memory/5108-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads