xloader | 9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538

Analysis

max time kernel
153s
max time network
185s
platform
windows10_x64
resource
win10-20220414-en
submitted
15-06-2022 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exe
Size

636KB
MD5

6ed1c4844a27a65362d2230d7318009a
SHA1

fc12323a10b30a5b0e1c1a934bca865cd1ed95f2
SHA256

9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538
SHA512

ffb52234bbd20e068f0f06c2b771640242fd82c327a29c980d7158ca4501621f832e506d8c30857815495497478cc23618b489e6eb88b140a2f9a8d1ce11fcfe

Score

10^/10

xloader nn40 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

nn40

Decoy

LYAg0yANOGEAGeaFOrA/

MQWuERZplP+VZy/uszI=

CF0oDN0JimIaGy/uszI=

ltJnyC+ReohYaiTvj1qbEA==

B9OkgdctVKBAFjSUaw==

sbDVwSZVVqVB11/deow8GA==

v1gHDe0pzno=

i+/0n2vHUfGPR98k77tukZ90MQ==

SUtCnbS96Qm21g==

8X9qzyt1dpAo31jXrXfKb49fBPY=

5KlPxqHzSstuFjSUaw==

0r/Kesv/zuanroxvNQW0Gm8=

FFgS7kfPYAqpdhhgRgnBJHY=

LgusAHrkrIoWr0FWIe2o/04UXPw=

vBq9Gvxa9wbKbS/uszI=

Z+q6HAZNNeqwwQ==

wbS4fMb06SjU5Kbseow8GA==

1mZEuZvJ/m0L9bof56PkkZ90MQ==

JCJIM74lHk/o+tiFOrA/

d14FrM8rGEgIzVkT67+3XaEh

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/5048-186-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/5048-187-0x000000000041F640-mapping.dmp	xloader
behavioral1/memory/5048-217-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/2452-236-0x0000000004CD0000-0x0000000004CFC000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

Processes:

9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exeRegSvcs.exechkdsk.exe

description	pid	process	target process
PID 3248 set thread context of 5048	3248	9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exe	RegSvcs.exe
PID 5048 set thread context of 3240	5048	RegSvcs.exe	Explorer.EXE
PID 5048 set thread context of 3240	5048	RegSvcs.exe	Explorer.EXE
PID 2452 set thread context of 3240	2452	chkdsk.exe	Explorer.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exeRegSvcs.exechkdsk.exe

pid	process
3248	9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exe
3248	9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exe
3248	9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exe
3248	9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exe
5048	RegSvcs.exe
5048	RegSvcs.exe
5048	RegSvcs.exe
5048	RegSvcs.exe
5048	RegSvcs.exe
5048	RegSvcs.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe
2452	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3240 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegSvcs.exechkdsk.exe

pid process

5048 RegSvcs.exe
5048 RegSvcs.exe
5048 RegSvcs.exe
5048 RegSvcs.exe
2452 chkdsk.exe
2452 chkdsk.exe

pid	process
3240	Explorer.EXE

pid	process
5048	RegSvcs.exe
5048	RegSvcs.exe
5048	RegSvcs.exe
5048	RegSvcs.exe
2452	chkdsk.exe
2452	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exeRegSvcs.exechkdsk.exe

description	pid	process
Token: SeDebugPrivilege	3248	9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exe
Token: SeDebugPrivilege	5048	RegSvcs.exe
Token: SeDebugPrivilege	2452	chkdsk.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exeExplorer.EXE

description	pid	process	target process
PID 3248 wrote to memory of 1872	3248	9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exe	RegSvcs.exe
PID 3248 wrote to memory of 1872	3248	9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exe	RegSvcs.exe
PID 3248 wrote to memory of 1872	3248	9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exe	RegSvcs.exe
PID 3248 wrote to memory of 5048	3248	9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exe	RegSvcs.exe
PID 3248 wrote to memory of 5048	3248	9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exe	RegSvcs.exe
PID 3248 wrote to memory of 5048	3248	9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exe	RegSvcs.exe
PID 3248 wrote to memory of 5048	3248	9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exe	RegSvcs.exe
PID 3248 wrote to memory of 5048	3248	9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exe	RegSvcs.exe
PID 3248 wrote to memory of 5048	3248	9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exe	RegSvcs.exe
PID 3240 wrote to memory of 2452	3240	Explorer.EXE	chkdsk.exe
PID 3240 wrote to memory of 2452	3240	Explorer.EXE	chkdsk.exe
PID 3240 wrote to memory of 2452	3240	Explorer.EXE	chkdsk.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3240

C:\Users\Admin\AppData\Local\Temp\9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exe
"C:\Users\Admin\AppData\Local\Temp\9628397359b089bca7436b3618a5358d06f73ec0a99f356dcea30a99df793538.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:4944

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:4916

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:4080

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:4196

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2472

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2436

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2452-216-0x0000000000000000-mapping.dmp

Download
memory/2452-235-0x0000000000930000-0x000000000093A000-memory.dmp

Filesize
40KB

Download
memory/2452-236-0x0000000004CD0000-0x0000000004CFC000-memory.dmp

Filesize
176KB

Download
memory/2452-245-0x0000000005230000-0x00000000052C0000-memory.dmp

Filesize
576KB

Download
memory/2452-237-0x0000000004E80000-0x00000000051A0000-memory.dmp

Filesize
3.1MB

Download
memory/3240-212-0x00000000027C0000-0x00000000028E5000-memory.dmp

Filesize
1.1MB

Download
memory/3240-215-0x0000000004C30000-0x0000000004CEB000-memory.dmp

Filesize
748KB

Download
memory/3240-248-0x00000000060D0000-0x000000000620D000-memory.dmp

Filesize
1.2MB

Download
memory/3240-247-0x0000000004C30000-0x0000000004CEB000-memory.dmp

Filesize
748KB

Download
memory/3240-246-0x00000000060D0000-0x000000000620D000-memory.dmp

Filesize
1.2MB

Download
memory/3248-154-0x0000000005740000-0x0000000005C3E000-memory.dmp

Filesize
5.0MB

Download
memory/3248-161-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-123-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-125-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-126-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-127-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-129-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-131-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-130-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-132-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-128-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-133-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-134-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-135-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-136-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-138-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-139-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-137-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-140-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-141-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-143-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-142-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-144-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-145-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-146-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-147-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-148-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-149-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-150-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-151-0x00000000007E0000-0x0000000000886000-memory.dmp

Filesize
664KB

Download
memory/3248-152-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-153-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-119-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-155-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-156-0x0000000002E00000-0x0000000002E92000-memory.dmp

Filesize
584KB

Download
memory/3248-157-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-158-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-159-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-160-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-124-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-162-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-163-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-164-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-165-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-166-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-167-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-168-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-169-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-170-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-172-0x0000000002C80000-0x0000000002C8A000-memory.dmp

Filesize
40KB

Download
memory/3248-171-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-173-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-175-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-174-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-178-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-179-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-180-0x0000000005720000-0x000000000572C000-memory.dmp

Filesize
48KB

Download
memory/3248-177-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-176-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-181-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-182-0x0000000008A70000-0x0000000008ADA000-memory.dmp

Filesize
424KB

Download
memory/3248-183-0x0000000008B80000-0x0000000008C1C000-memory.dmp

Filesize
624KB

Download
memory/3248-184-0x0000000008B50000-0x0000000008B82000-memory.dmp

Filesize
200KB

Download
memory/3248-185-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-118-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-117-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-120-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-121-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3248-122-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/5048-211-0x0000000000B90000-0x0000000000C3E000-memory.dmp

Filesize
696KB

Download
memory/5048-202-0x0000000001110000-0x0000000001430000-memory.dmp

Filesize
3.1MB

Download
memory/5048-189-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/5048-188-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/5048-187-0x000000000041F640-mapping.dmp

Download
memory/5048-186-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5048-214-0x0000000000B90000-0x0000000000C3E000-memory.dmp

Filesize
696KB

Download
memory/5048-217-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download