xloader | 8edf8a8b1972c8dd05a960b7a79a7a87c8977b69b700ab9db28bab9207b8b267

General

Target

New purchase Order.exe
Size

477KB
MD5

dd481272bd8f9e8ca40868e4a90db854
SHA1

8871b4d7173d89b539aa1b3e91139cb4c0ce744e
SHA256

8edf8a8b1972c8dd05a960b7a79a7a87c8977b69b700ab9db28bab9207b8b267
SHA512

168ed59d8f6edd7b37b44441480e59fdef67beb35487974aec59aa36852407c75d5537532f6cd0104327516fd2e0359fadb6fe56a8def782864413df341761a8

Score

10^/10

xloader a8hq loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

a8hq

Decoy

veteransductcleaning.com

beajtjunkies.com

houseofascofi.com

scottsdalemediator.com

atelyadesign.com

profitcase.pro

imtokenio.club

qinglingpai.com

bigsmile-meal.net

daytonlivestream.com

aspiradores10.online

ytybs120.com

hdatelier.com

bearpierce.com

yeson28ca.com

booklearner.com

m8j9.club

mmophamthinhlegend.space

hq4a7o6zb.com

sophiadaki.online

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4760-139-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral2/memory/4760-141-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral2/memory/2304-147-0x0000000000F40000-0x0000000000F6B000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

cscript.exe

flow pid process

80 2304 cscript.exe

flow	pid	process
80	2304	cscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

New purchase Order.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	New purchase Order.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

New purchase Order.exeNew purchase Order.execscript.exe

description	pid	process	target process
PID 3092 set thread context of 4760	3092	New purchase Order.exe	New purchase Order.exe
PID 4760 set thread context of 3148	4760	New purchase Order.exe	Explorer.EXE
PID 2304 set thread context of 3148	2304	cscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3600 schtasks.exe

pid	process
3600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

New purchase Order.exeNew purchase Order.execscript.exe

pid	process
3092	New purchase Order.exe
3092	New purchase Order.exe
3092	New purchase Order.exe
4760	New purchase Order.exe
4760	New purchase Order.exe
4760	New purchase Order.exe
4760	New purchase Order.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe
2304	cscript.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

New purchase Order.execscript.exe

pid process

4760 New purchase Order.exe
4760 New purchase Order.exe
4760 New purchase Order.exe
2304 cscript.exe
2304 cscript.exe

pid	process
4760	New purchase Order.exe
4760	New purchase Order.exe
4760	New purchase Order.exe
2304	cscript.exe
2304	cscript.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

New purchase Order.exeNew purchase Order.execscript.exe

description	pid	process
Token: SeDebugPrivilege	3092	New purchase Order.exe
Token: SeDebugPrivilege	4760	New purchase Order.exe
Token: SeDebugPrivilege	2304	cscript.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

New purchase Order.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 3092 wrote to memory of 3600	3092	New purchase Order.exe	schtasks.exe
PID 3092 wrote to memory of 3600	3092	New purchase Order.exe	schtasks.exe
PID 3092 wrote to memory of 3600	3092	New purchase Order.exe	schtasks.exe
PID 3092 wrote to memory of 5112	3092	New purchase Order.exe	New purchase Order.exe
PID 3092 wrote to memory of 5112	3092	New purchase Order.exe	New purchase Order.exe
PID 3092 wrote to memory of 5112	3092	New purchase Order.exe	New purchase Order.exe
PID 3092 wrote to memory of 4760	3092	New purchase Order.exe	New purchase Order.exe
PID 3092 wrote to memory of 4760	3092	New purchase Order.exe	New purchase Order.exe
PID 3092 wrote to memory of 4760	3092	New purchase Order.exe	New purchase Order.exe
PID 3092 wrote to memory of 4760	3092	New purchase Order.exe	New purchase Order.exe
PID 3092 wrote to memory of 4760	3092	New purchase Order.exe	New purchase Order.exe
PID 3092 wrote to memory of 4760	3092	New purchase Order.exe	New purchase Order.exe
PID 3148 wrote to memory of 2304	3148	Explorer.EXE	cscript.exe
PID 3148 wrote to memory of 2304	3148	Explorer.EXE	cscript.exe
PID 3148 wrote to memory of 2304	3148	Explorer.EXE	cscript.exe
PID 2304 wrote to memory of 204	2304	cscript.exe	cmd.exe
PID 2304 wrote to memory of 204	2304	cscript.exe	cmd.exe
PID 2304 wrote to memory of 204	2304	cscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3148

C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NADfrJFSUbwNu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9078.tmp"
3⤵
- Creates scheduled task(s)
PID:3600

C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
"{path}"
3⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe"
3⤵
PID:204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9078.tmp
Filesize
1KB

MD5
693cec7063ae8316643119c3959510df

SHA1
be146fdbca9d655c68b2c44b0fbae3ba746f4fa8

SHA256
2784a2e4f37567fff37ad56df7267af05f75a88f4a1dca9ec66a1a144e760762

SHA512
86bfd518aabbcd2f69e062f037e7b3582a4bce5ba17b70f75335a768a2b39a80c5aee0cdfd4e72cf2149ad9bf53e1002ead2bba37861ff1c9172526c4aa1ab13

Download Submit
memory/204-148-0x0000000000000000-mapping.dmp

Download
memory/2304-149-0x0000000002F50000-0x000000000329A000-memory.dmp

Filesize
3.3MB

Download
memory/2304-150-0x0000000002DB0000-0x0000000002E40000-memory.dmp

Filesize
576KB

Download
memory/2304-145-0x0000000000000000-mapping.dmp

Download
memory/2304-146-0x0000000000070000-0x0000000000097000-memory.dmp

Filesize
156KB

Download
memory/2304-147-0x0000000000F40000-0x0000000000F6B000-memory.dmp

Filesize
172KB

Download
memory/3092-133-0x0000000005900000-0x000000000599C000-memory.dmp

Filesize
624KB

Download
memory/3092-134-0x00000000057F0000-0x00000000057FA000-memory.dmp

Filesize
40KB

Download
memory/3092-130-0x0000000000DF0000-0x0000000000E6E000-memory.dmp

Filesize
504KB

Download
memory/3092-132-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/3092-131-0x0000000005EB0000-0x0000000006454000-memory.dmp

Filesize
5.6MB

Download
memory/3148-151-0x0000000002720000-0x0000000002855000-memory.dmp

Filesize
1.2MB

Download
memory/3148-144-0x0000000008250000-0x00000000083E2000-memory.dmp

Filesize
1.6MB

Download
memory/3600-135-0x0000000000000000-mapping.dmp

Download
memory/4760-143-0x0000000001930000-0x0000000001941000-memory.dmp

Filesize
68KB

Download
memory/4760-142-0x00000000015C0000-0x000000000190A000-memory.dmp

Filesize
3.3MB

Download
memory/4760-141-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4760-139-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4760-138-0x0000000000000000-mapping.dmp

Download
memory/5112-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads