xloader | af734d11eb2809d171ff3e63096cb2cbd38ee44a6e4b9e0ab195498635208598

General

Target

SecuriteInfo.com.W32.AIDetectNet.01.19961.exe
Size

448KB
MD5

4cfcb2976dc600ecd5e61ee012d2cf80
SHA1

bb6405e828b4f43846e2bf5dcfda7ccad2c204a3
SHA256

af734d11eb2809d171ff3e63096cb2cbd38ee44a6e4b9e0ab195498635208598
SHA512

9743553db9ce03ba401b14e9c018957b94e6b42ed2cf430432ef2d9fa7343ce1b16439842457465ad1d0960a3ee72881b130f8a35cce06b2e1475e1b2f03d6a2

Score

10^/10

xloader r87g loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

r87g

Decoy

gzjyjzsj.com

rapibest.com

affordablebathroomsbyfrank.net

roboruben.com

xn--dlisucr-byag.com

encoreasso.com

piscire.com

dixiebusybee.com

newrome.xyz

sunshinejon.com

glacierforfcs.xyz

borhanmarket.com

tous-des-cons.club

hsfstea.com

spiniform.info

vaicomfibra.com

shinigami.xyz

kryptoindia.com

listentoappetite.com

securepplpay.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3956-140-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.19961.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.19961.exe

description	pid	process	target process
PID 4692 set thread context of 3956	4692	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4084 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeSecuriteInfo.com.W32.AIDetectNet.01.19961.exe

pid process

4912 powershell.exe
3956 SecuriteInfo.com.W32.AIDetectNet.01.19961.exe
3956 SecuriteInfo.com.W32.AIDetectNet.01.19961.exe
4912 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4912 powershell.exe

pid	process
4084	schtasks.exe

pid	process
4912	powershell.exe
3956	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe
3956	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe
4912	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4912	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.19961.exe

description	pid	process	target process
PID 4692 wrote to memory of 4912	4692	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe	powershell.exe
PID 4692 wrote to memory of 4912	4692	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe	powershell.exe
PID 4692 wrote to memory of 4912	4692	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe	powershell.exe
PID 4692 wrote to memory of 4084	4692	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe	schtasks.exe
PID 4692 wrote to memory of 4084	4692	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe	schtasks.exe
PID 4692 wrote to memory of 4084	4692	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe	schtasks.exe
PID 4692 wrote to memory of 3956	4692	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe
PID 4692 wrote to memory of 3956	4692	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe
PID 4692 wrote to memory of 3956	4692	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe
PID 4692 wrote to memory of 3956	4692	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe
PID 4692 wrote to memory of 3956	4692	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe
PID 4692 wrote to memory of 3956	4692	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe	SecuriteInfo.com.W32.AIDetectNet.01.19961.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.19961.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.19961.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hJzNgUBNjbq.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hJzNgUBNjbq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD49.tmp"
2⤵
- Creates scheduled task(s)
PID:4084

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.19961.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.19961.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD49.tmp
Filesize
1KB

MD5
1c9233ba7e8416cfce6d0f9be0b60829

SHA1
9955c1e8ee38927b359f6d29ee36cf5fc74fd9f8

SHA256
68a8e2b057c82b41f0c3f055eddb0e55ee1e3a0767fa6534661d505cdeff1fc9

SHA512
eff59b83fe243aaf2224b51a525c982fdf26c33efdf1ad53597564e6279f999223ad95144c6f53db1a59eee8960fa7f3d16ce42e088d9bf8ac3d316e4aeb7683

Download Submit
memory/3956-140-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3956-144-0x0000000001810000-0x0000000001B5A000-memory.dmp

Filesize
3.3MB

Download
memory/3956-139-0x0000000000000000-mapping.dmp

Download
memory/4084-136-0x0000000000000000-mapping.dmp

Download
memory/4692-131-0x00000000056B0000-0x0000000005C54000-memory.dmp

Filesize
5.6MB

Download
memory/4692-132-0x00000000051A0000-0x0000000005232000-memory.dmp

Filesize
584KB

Download
memory/4692-133-0x0000000005160000-0x000000000516A000-memory.dmp

Filesize
40KB

Download
memory/4692-134-0x0000000007D00000-0x0000000007D9C000-memory.dmp

Filesize
624KB

Download
memory/4692-130-0x00000000008B0000-0x0000000000920000-memory.dmp

Filesize
448KB

Download
memory/4912-142-0x0000000004E00000-0x0000000004E22000-memory.dmp

Filesize
136KB

Download
memory/4912-149-0x0000000006170000-0x000000000618E000-memory.dmp

Filesize
120KB

Download
memory/4912-138-0x0000000002350000-0x0000000002386000-memory.dmp

Filesize
216KB

Download
memory/4912-135-0x0000000000000000-mapping.dmp

Download
memory/4912-143-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/4912-145-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/4912-146-0x0000000005C50000-0x0000000005C6E000-memory.dmp

Filesize
120KB

Download
memory/4912-147-0x0000000006190000-0x00000000061C2000-memory.dmp

Filesize
200KB

Download
memory/4912-148-0x0000000071AD0000-0x0000000071B1C000-memory.dmp

Filesize
304KB

Download
memory/4912-141-0x0000000004E40000-0x0000000005468000-memory.dmp

Filesize
6.2MB

Download
memory/4912-150-0x0000000007540000-0x0000000007BBA000-memory.dmp

Filesize
6.5MB

Download
memory/4912-151-0x0000000006EE0000-0x0000000006EFA000-memory.dmp

Filesize
104KB

Download
memory/4912-152-0x0000000006F40000-0x0000000006F4A000-memory.dmp

Filesize
40KB

Download
memory/4912-153-0x0000000007170000-0x0000000007206000-memory.dmp

Filesize
600KB

Download
memory/4912-154-0x0000000007120000-0x000000000712E000-memory.dmp

Filesize
56KB

Download
memory/4912-155-0x0000000007210000-0x000000000722A000-memory.dmp

Filesize
104KB

Download
memory/4912-156-0x0000000007160000-0x0000000007168000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads