xloader | a5e127b40d8ee4de136544f90b47723aee93def5d9e292d9976ff792052f717d

General

Target

630377.xls .scr
Size

535KB
MD5

596b08cab4dec9f4c91112410b811c22
SHA1

c5aa419d8d5e9ff5b7bab305d59c044e3c49a47b
SHA256

2cccc56f00e67c1f5a329b4d4815f736f7c866cc2b50e590341ac2e5cd0a85be
SHA512

f7fc7248ffbcd6cadf5ba869d6b622bf70a081687f3434f2e681c2ce89457eef07c8b0eac00dd87c04a0a641be2a69cf7b9e0c015e55865783168ba1695c71f8

Score

10^/10

xloader rcgc loader persistence rat

Malware Config

Extracted

Family

xloader

Version

2.0

Campaign

rcgc

Decoy

allwinpressing.com

topographix.net

theraymondng.com

massvp.com

evchn.com

victorialouiseimagery.com

gallerysouthlosaltos.com

rackspaceupdate.com

genesprofile.com

vyscoxa.net

lishaobing.com

knottherapymassage.com

grappletoytether.net

thetastevegan.com

actionpaintservices.com

perdidoveteransdayparty.com

hotteo.com

tanngogia.com

xn--oy2b11lymexwcbzy.com

ap-lrco.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5012-144-0x0000000000400000-0x0000000000427000-memory.dmp	xloader
behavioral2/memory/4760-154-0x0000000000510000-0x0000000000537000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

mbdx.exeAddInProcess32.exe

pid process

4980 mbdx.exe
5012 AddInProcess32.exe

pid	process
4980	mbdx.exe
5012	AddInProcess32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

630377.xls .scr

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	630377.xls .scr

Loads dropped DLL 2 IoCs

Processes:

630377.xls .scrmbdx.exe

pid process

2988 630377.xls .scr
4980 mbdx.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smybv = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\mbdx.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

mbdx.exeAddInProcess32.execontrol.exe

description	pid	process	target process
PID 4980 set thread context of 5012	4980	mbdx.exe	AddInProcess32.exe
PID 5012 set thread context of 2040	5012	AddInProcess32.exe	Explorer.EXE
PID 4760 set thread context of 2040	4760	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

630377.xls .scrmbdx.exeAddInProcess32.execontrol.exe

pid	process
2988	630377.xls .scr
2988	630377.xls .scr
2988	630377.xls .scr
2988	630377.xls .scr
2988	630377.xls .scr
2988	630377.xls .scr
2988	630377.xls .scr
2988	630377.xls .scr
2988	630377.xls .scr
2988	630377.xls .scr
2988	630377.xls .scr
2988	630377.xls .scr
2988	630377.xls .scr
2988	630377.xls .scr
2988	630377.xls .scr
2988	630377.xls .scr
2988	630377.xls .scr
2988	630377.xls .scr
2988	630377.xls .scr
2988	630377.xls .scr
2988	630377.xls .scr
2988	630377.xls .scr
4980	mbdx.exe
4980	mbdx.exe
4980	mbdx.exe
5012	AddInProcess32.exe
5012	AddInProcess32.exe
5012	AddInProcess32.exe
5012	AddInProcess32.exe
4760	control.exe
4760	control.exe
4760	control.exe
4760	control.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

AddInProcess32.execontrol.exe

pid process

5012 AddInProcess32.exe
5012 AddInProcess32.exe
5012 AddInProcess32.exe
4760 control.exe
4760 control.exe

pid	process
5012	AddInProcess32.exe
5012	AddInProcess32.exe
5012	AddInProcess32.exe
4760	control.exe
4760	control.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

630377.xls .scrmbdx.exeAddInProcess32.execontrol.exe

description	pid	process
Token: SeDebugPrivilege	2988	630377.xls .scr
Token: SeDebugPrivilege	4980	mbdx.exe
Token: SeDebugPrivilege	5012	AddInProcess32.exe
Token: SeDebugPrivilege	4760	control.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

630377.xls .scrcmd.exembdx.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 2988 wrote to memory of 3428	2988	630377.xls .scr	cmd.exe
PID 2988 wrote to memory of 3428	2988	630377.xls .scr	cmd.exe
PID 2988 wrote to memory of 3428	2988	630377.xls .scr	cmd.exe
PID 3428 wrote to memory of 4156	3428	cmd.exe	reg.exe
PID 3428 wrote to memory of 4156	3428	cmd.exe	reg.exe
PID 3428 wrote to memory of 4156	3428	cmd.exe	reg.exe
PID 2988 wrote to memory of 4980	2988	630377.xls .scr	mbdx.exe
PID 2988 wrote to memory of 4980	2988	630377.xls .scr	mbdx.exe
PID 2988 wrote to memory of 4980	2988	630377.xls .scr	mbdx.exe
PID 4980 wrote to memory of 5012	4980	mbdx.exe	AddInProcess32.exe
PID 4980 wrote to memory of 5012	4980	mbdx.exe	AddInProcess32.exe
PID 4980 wrote to memory of 5012	4980	mbdx.exe	AddInProcess32.exe
PID 4980 wrote to memory of 5012	4980	mbdx.exe	AddInProcess32.exe
PID 4980 wrote to memory of 5012	4980	mbdx.exe	AddInProcess32.exe
PID 4980 wrote to memory of 5012	4980	mbdx.exe	AddInProcess32.exe
PID 2040 wrote to memory of 4760	2040	Explorer.EXE	control.exe
PID 2040 wrote to memory of 4760	2040	Explorer.EXE	control.exe
PID 2040 wrote to memory of 4760	2040	Explorer.EXE	control.exe
PID 4760 wrote to memory of 652	4760	control.exe	cmd.exe
PID 4760 wrote to memory of 652	4760	control.exe	cmd.exe
PID 4760 wrote to memory of 652	4760	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\630377.xls .scr
"C:\Users\Admin\AppData\Local\Temp\630377.xls .scr" /S
2⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v smybv /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\mbdx.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v smybv /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\mbdx.exe"
4⤵
- Adds Run key to start application
PID:4156

C:\Users\Admin\mbdx.exe
"C:\Users\Admin\mbdx.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
PID:652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\305ca9ce-05a7-4081-bcf5-b3110c43e68e\l.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\305ca9ce-05a7-4081-bcf5-b3110c43e68e\l.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\305ca9ce-05a7-4081-bcf5-b3110c43e68e\l.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
C:\Users\Admin\mbdx.exe
Filesize
535KB

MD5
596b08cab4dec9f4c91112410b811c22

SHA1
c5aa419d8d5e9ff5b7bab305d59c044e3c49a47b

SHA256
2cccc56f00e67c1f5a329b4d4815f736f7c866cc2b50e590341ac2e5cd0a85be

SHA512
f7fc7248ffbcd6cadf5ba869d6b622bf70a081687f3434f2e681c2ce89457eef07c8b0eac00dd87c04a0a641be2a69cf7b9e0c015e55865783168ba1695c71f8

Download Submit
C:\Users\Admin\mbdx.exe
Filesize
535KB

MD5
596b08cab4dec9f4c91112410b811c22

SHA1
c5aa419d8d5e9ff5b7bab305d59c044e3c49a47b

SHA256
2cccc56f00e67c1f5a329b4d4815f736f7c866cc2b50e590341ac2e5cd0a85be

SHA512
f7fc7248ffbcd6cadf5ba869d6b622bf70a081687f3434f2e681c2ce89457eef07c8b0eac00dd87c04a0a641be2a69cf7b9e0c015e55865783168ba1695c71f8

Download Submit
memory/652-152-0x0000000000000000-mapping.dmp

Download
memory/2040-149-0x00000000080B0000-0x00000000081F0000-memory.dmp

Filesize
1.2MB

Download
memory/2040-157-0x00000000083B0000-0x0000000008523000-memory.dmp

Filesize
1.4MB

Download
memory/2988-130-0x0000000000630000-0x00000000006BC000-memory.dmp

Filesize
560KB

Download
memory/2988-132-0x0000000073D40000-0x0000000073DC9000-memory.dmp

Filesize
548KB

Download
memory/2988-134-0x0000000005A80000-0x0000000005B12000-memory.dmp

Filesize
584KB

Download
memory/2988-133-0x0000000005F50000-0x00000000064F4000-memory.dmp

Filesize
5.6MB

Download
memory/3428-135-0x0000000000000000-mapping.dmp

Download
memory/4156-136-0x0000000000000000-mapping.dmp

Download
memory/4760-156-0x0000000002450000-0x00000000024DF000-memory.dmp

Filesize
572KB

Download
memory/4760-155-0x0000000002620000-0x000000000296A000-memory.dmp

Filesize
3.3MB

Download
memory/4760-153-0x0000000000A40000-0x0000000000A67000-memory.dmp

Filesize
156KB

Download
memory/4760-154-0x0000000000510000-0x0000000000537000-memory.dmp

Filesize
156KB

Download
memory/4760-150-0x0000000000000000-mapping.dmp

Download
memory/4980-142-0x0000000073D40000-0x0000000073DC9000-memory.dmp

Filesize
548KB

Download
memory/4980-137-0x0000000000000000-mapping.dmp

Download
memory/5012-148-0x0000000001090000-0x00000000010A0000-memory.dmp

Filesize
64KB

Download
memory/5012-147-0x0000000001550000-0x000000000189A000-memory.dmp

Filesize
3.3MB

Download
memory/5012-144-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5012-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads