xloader | 8edf8a8b1972c8dd05a960b7a79a7a87c8977b69b700ab9db28bab9207b8b267

General

Target

New purchase Order.exe
Size

477KB
MD5

dd481272bd8f9e8ca40868e4a90db854
SHA1

8871b4d7173d89b539aa1b3e91139cb4c0ce744e
SHA256

8edf8a8b1972c8dd05a960b7a79a7a87c8977b69b700ab9db28bab9207b8b267
SHA512

168ed59d8f6edd7b37b44441480e59fdef67beb35487974aec59aa36852407c75d5537532f6cd0104327516fd2e0359fadb6fe56a8def782864413df341761a8

Score

10^/10

xloader a8hq loader rat

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

a8hq

Decoy

veteransductcleaning.com

beajtjunkies.com

houseofascofi.com

scottsdalemediator.com

atelyadesign.com

profitcase.pro

imtokenio.club

qinglingpai.com

bigsmile-meal.net

daytonlivestream.com

aspiradores10.online

ytybs120.com

hdatelier.com

bearpierce.com

yeson28ca.com

booklearner.com

m8j9.club

mmophamthinhlegend.space

hq4a7o6zb.com

sophiadaki.online

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/832-64-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/832-65-0x000000000041F2C0-mapping.dmp	xloader
behavioral1/memory/832-67-0x0000000000400000-0x000000000042B000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

New purchase Order.exeNew purchase Order.exe

description	pid	process	target process
PID 884 set thread context of 832	884	New purchase Order.exe	New purchase Order.exe
PID 832 set thread context of 1260	832	New purchase Order.exe	Explorer.EXE
PID 832 set thread context of 1260	832	New purchase Order.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1172 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

New purchase Order.exeNew purchase Order.exe

pid process

884 New purchase Order.exe
832 New purchase Order.exe
832 New purchase Order.exe
832 New purchase Order.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

New purchase Order.exe

pid process

832 New purchase Order.exe
832 New purchase Order.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

New purchase Order.exeNew purchase Order.exe

description pid process

Token: SeDebugPrivilege 884 New purchase Order.exe
Token: SeDebugPrivilege 832 New purchase Order.exe

pid	process
1172	schtasks.exe

pid	process
884	New purchase Order.exe
832	New purchase Order.exe
832	New purchase Order.exe
832	New purchase Order.exe

pid	process
832	New purchase Order.exe
832	New purchase Order.exe

description	pid	process
Token: SeDebugPrivilege	884	New purchase Order.exe
Token: SeDebugPrivilege	832	New purchase Order.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

New purchase Order.exe

description	pid	process	target process
PID 884 wrote to memory of 1172	884	New purchase Order.exe	schtasks.exe
PID 884 wrote to memory of 1172	884	New purchase Order.exe	schtasks.exe
PID 884 wrote to memory of 1172	884	New purchase Order.exe	schtasks.exe
PID 884 wrote to memory of 1172	884	New purchase Order.exe	schtasks.exe
PID 884 wrote to memory of 832	884	New purchase Order.exe	New purchase Order.exe
PID 884 wrote to memory of 832	884	New purchase Order.exe	New purchase Order.exe
PID 884 wrote to memory of 832	884	New purchase Order.exe	New purchase Order.exe
PID 884 wrote to memory of 832	884	New purchase Order.exe	New purchase Order.exe
PID 884 wrote to memory of 832	884	New purchase Order.exe	New purchase Order.exe
PID 884 wrote to memory of 832	884	New purchase Order.exe	New purchase Order.exe
PID 884 wrote to memory of 832	884	New purchase Order.exe	New purchase Order.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NADfrJFSUbwNu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAB4E.tmp"
3⤵
- Creates scheduled task(s)
PID:1172

C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:832

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAB4E.tmp
Filesize
1KB

MD5
231f63059ec3c0ee73572994bde4bfed

SHA1
d14200c81c501834b7c21345cee8097d08e07bda

SHA256
fe3b361ce3bdf2b2deb9e3592190b1ac6ff487ad9966fb111189b6fd8fc53353

SHA512
9eabd4d37e6b0f7e21c0bb9a934ab85e9324a2d19243ed759bc0e9443c6431f9a76c47eb6ba65b9192abe9e8e50714741854b9fc312f7ad2a89db3e8d722fc2e

Download Submit
memory/832-68-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download
memory/832-61-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/832-72-0x0000000000210000-0x0000000000221000-memory.dmp

Filesize
68KB

Download
memory/832-69-0x0000000000140000-0x0000000000151000-memory.dmp

Filesize
68KB

Download
memory/832-64-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/832-67-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/832-65-0x000000000041F2C0-mapping.dmp

Download
memory/832-62-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/884-56-0x0000000000810000-0x000000000081A000-memory.dmp

Filesize
40KB

Download
memory/884-55-0x0000000075D21000-0x0000000075D23000-memory.dmp

Filesize
8KB

Download
memory/884-54-0x0000000000F90000-0x000000000100E000-memory.dmp

Filesize
504KB

Download
memory/884-58-0x0000000000AD0000-0x0000000000B02000-memory.dmp

Filesize
200KB

Download
memory/884-57-0x0000000004EC0000-0x0000000004F42000-memory.dmp

Filesize
520KB

Download
memory/1172-59-0x0000000000000000-mapping.dmp

Download
memory/1260-70-0x0000000006310000-0x0000000006475000-memory.dmp

Filesize
1.4MB

Download
memory/1260-73-0x0000000006590000-0x0000000006679000-memory.dmp

Filesize
932KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads