xloader | 45d1b699698ba99b1a8c51ef57d3ed895b762f418cc05f8c54425e3cebcea4c0

General

Target

ef43e97cb61e5d54d4953a4d3278f220.exe
Size

828KB
MD5

ef43e97cb61e5d54d4953a4d3278f220
SHA1

16e593f0ddae9e67c5dd725d383552a0414ab292
SHA256

45d1b699698ba99b1a8c51ef57d3ed895b762f418cc05f8c54425e3cebcea4c0
SHA512

3e978d30d2bf94a2fe506c44f7bafb94cc3fe8a50a8db1232c2de6b34fd22fd9ec951c63290e3983c42bdf278e00d940c49858b1faa61bdf90bf299532631b71

Score

10^/10

xloader pdrq evasion loader persistence rat suricata

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

pdrq

Decoy

welchsunstar.com

mppservicesllc.com

wiresofteflon.com

brabov.xyz

compnonoch.site

yourbuilderworks.com

iamsamirahman.com

eriqoes.com

eastudio.design

skyearth-est.com

teethfitness.com

razaancreates.com

shfbfs.com

joyfulbrokekids.com

kjbolden.com

howirep.com

deedeesmainecoons.website

e-powair.com

aheatea.com

shalfey0009.xyz

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

ef43e97cb61e5d54d4953a4d3278f220.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions ef43e97cb61e5d54d4953a4d3278f220.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	ef43e97cb61e5d54d4953a4d3278f220.exe

Xloader Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1940-67-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/1940-68-0x000000000041F270-mapping.dmp	xloader
behavioral1/memory/1940-71-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/1192-78-0x0000000000080000-0x00000000000AB000-memory.dmp	xloader
behavioral1/memory/1192-82-0x0000000000080000-0x00000000000AB000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\9RDHPR4P_FC = "C:\\Program Files (x86)\\Ltr4tq2eh\\servicesnng4l.exe"	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

servicesnng4l.exe

pid process

1624 servicesnng4l.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

ef43e97cb61e5d54d4953a4d3278f220.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools ef43e97cb61e5d54d4953a4d3278f220.exe

pid	process
1624	servicesnng4l.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	ef43e97cb61e5d54d4953a4d3278f220.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ef43e97cb61e5d54d4953a4d3278f220.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ef43e97cb61e5d54d4953a4d3278f220.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ef43e97cb61e5d54d4953a4d3278f220.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ef43e97cb61e5d54d4953a4d3278f220.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	ef43e97cb61e5d54d4953a4d3278f220.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	ef43e97cb61e5d54d4953a4d3278f220.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ef43e97cb61e5d54d4953a4d3278f220.exeRegSvcs.exesvchost.exe

description	pid	process	target process
PID 2020 set thread context of 1940	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	RegSvcs.exe
PID 1940 set thread context of 1300	1940	RegSvcs.exe	Explorer.EXE
PID 1192 set thread context of 1300	1192	svchost.exe	Explorer.EXE

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Ltr4tq2eh\servicesnng4l.exe	svchost.exe
File created	C:\Program Files (x86)\Ltr4tq2eh\servicesnng4l.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

624 schtasks.exe

pid	process
624	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

ef43e97cb61e5d54d4953a4d3278f220.exepowershell.exeRegSvcs.exesvchost.exe

pid	process
2020	ef43e97cb61e5d54d4953a4d3278f220.exe
2020	ef43e97cb61e5d54d4953a4d3278f220.exe
2020	ef43e97cb61e5d54d4953a4d3278f220.exe
2020	ef43e97cb61e5d54d4953a4d3278f220.exe
1696	powershell.exe
1940	RegSvcs.exe
1940	RegSvcs.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

RegSvcs.exesvchost.exe

pid process

1940 RegSvcs.exe
1940 RegSvcs.exe
1940 RegSvcs.exe
1192 svchost.exe
1192 svchost.exe
1192 svchost.exe
1192 svchost.exe

pid	process
1940	RegSvcs.exe
1940	RegSvcs.exe
1940	RegSvcs.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

ef43e97cb61e5d54d4953a4d3278f220.exepowershell.exeRegSvcs.exesvchost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2020	ef43e97cb61e5d54d4953a4d3278f220.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1940	RegSvcs.exe
Token: SeDebugPrivilege	1192	svchost.exe
Token: SeShutdownPrivilege	1300	Explorer.EXE
Token: SeShutdownPrivilege	1300	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1300 Explorer.EXE
1300 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1300 Explorer.EXE
1300 Explorer.EXE

pid	process
1300	Explorer.EXE
1300	Explorer.EXE

pid	process
1300	Explorer.EXE
1300	Explorer.EXE

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

ef43e97cb61e5d54d4953a4d3278f220.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 2020 wrote to memory of 1696	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	powershell.exe
PID 2020 wrote to memory of 1696	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	powershell.exe
PID 2020 wrote to memory of 1696	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	powershell.exe
PID 2020 wrote to memory of 1696	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	powershell.exe
PID 2020 wrote to memory of 624	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	schtasks.exe
PID 2020 wrote to memory of 624	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	schtasks.exe
PID 2020 wrote to memory of 624	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	schtasks.exe
PID 2020 wrote to memory of 624	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	schtasks.exe
PID 2020 wrote to memory of 1948	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	RegSvcs.exe
PID 2020 wrote to memory of 1948	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	RegSvcs.exe
PID 2020 wrote to memory of 1948	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	RegSvcs.exe
PID 2020 wrote to memory of 1948	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	RegSvcs.exe
PID 2020 wrote to memory of 1948	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	RegSvcs.exe
PID 2020 wrote to memory of 1948	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	RegSvcs.exe
PID 2020 wrote to memory of 1948	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	RegSvcs.exe
PID 2020 wrote to memory of 1940	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	RegSvcs.exe
PID 2020 wrote to memory of 1940	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	RegSvcs.exe
PID 2020 wrote to memory of 1940	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	RegSvcs.exe
PID 2020 wrote to memory of 1940	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	RegSvcs.exe
PID 2020 wrote to memory of 1940	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	RegSvcs.exe
PID 2020 wrote to memory of 1940	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	RegSvcs.exe
PID 2020 wrote to memory of 1940	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	RegSvcs.exe
PID 2020 wrote to memory of 1940	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	RegSvcs.exe
PID 2020 wrote to memory of 1940	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	RegSvcs.exe
PID 2020 wrote to memory of 1940	2020	ef43e97cb61e5d54d4953a4d3278f220.exe	RegSvcs.exe
PID 1300 wrote to memory of 1192	1300	Explorer.EXE	svchost.exe
PID 1300 wrote to memory of 1192	1300	Explorer.EXE	svchost.exe
PID 1300 wrote to memory of 1192	1300	Explorer.EXE	svchost.exe
PID 1300 wrote to memory of 1192	1300	Explorer.EXE	svchost.exe
PID 1192 wrote to memory of 892	1192	svchost.exe	cmd.exe
PID 1192 wrote to memory of 892	1192	svchost.exe	cmd.exe
PID 1192 wrote to memory of 892	1192	svchost.exe	cmd.exe
PID 1192 wrote to memory of 892	1192	svchost.exe	cmd.exe
PID 1192 wrote to memory of 1728	1192	svchost.exe	Firefox.exe
PID 1192 wrote to memory of 1728	1192	svchost.exe	Firefox.exe
PID 1192 wrote to memory of 1728	1192	svchost.exe	Firefox.exe
PID 1192 wrote to memory of 1728	1192	svchost.exe	Firefox.exe
PID 1192 wrote to memory of 1728	1192	svchost.exe	Firefox.exe
PID 1300 wrote to memory of 1624	1300	Explorer.EXE	servicesnng4l.exe
PID 1300 wrote to memory of 1624	1300	Explorer.EXE	servicesnng4l.exe
PID 1300 wrote to memory of 1624	1300	Explorer.EXE	servicesnng4l.exe
PID 1300 wrote to memory of 1624	1300	Explorer.EXE	servicesnng4l.exe
PID 1300 wrote to memory of 1624	1300	Explorer.EXE	servicesnng4l.exe
PID 1300 wrote to memory of 1624	1300	Explorer.EXE	servicesnng4l.exe
PID 1300 wrote to memory of 1624	1300	Explorer.EXE	servicesnng4l.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\AppData\Local\Temp\ef43e97cb61e5d54d4953a4d3278f220.exe
"C:\Users\Admin\AppData\Local\Temp\ef43e97cb61e5d54d4953a4d3278f220.exe"
2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lIaHFEbpq.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lIaHFEbpq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFFD3.tmp"
3⤵
- Creates scheduled task(s)
PID:624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:892

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1728

C:\Program Files (x86)\Ltr4tq2eh\servicesnng4l.exe
"C:\Program Files (x86)\Ltr4tq2eh\servicesnng4l.exe"
2⤵
- Executes dropped EXE
PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ltr4tq2eh\servicesnng4l.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Program Files (x86)\Ltr4tq2eh\servicesnng4l.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFFD3.tmp
Filesize
1KB

MD5
f0c219e7c32ef968c4e091c7b2749470

SHA1
dd0f8bd01b2682e2ab54c9981e69670c6103a50b

SHA256
53611234b36a01f82d62ad960d14626fd6532b2bf92cef5f4e68cab166ba8837

SHA512
3539b587776ec02046f54907f7966b548c1ffa3e67a90b4aeaf2f78d9ba3ab0c980505a853256500b1e055298d9e85b3fb0b3c713ba823d3a4a78ac6101d49ad

Download Submit
memory/624-60-0x0000000000000000-mapping.dmp

Download
memory/892-76-0x0000000000000000-mapping.dmp

Download
memory/1192-80-0x0000000000460000-0x00000000004F0000-memory.dmp

Filesize
576KB

Download
memory/1192-78-0x0000000000080000-0x00000000000AB000-memory.dmp

Filesize
172KB

Download
memory/1192-75-0x0000000000000000-mapping.dmp

Download
memory/1192-77-0x0000000000700000-0x0000000000708000-memory.dmp

Filesize
32KB

Download
memory/1192-79-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download
memory/1192-82-0x0000000000080000-0x00000000000AB000-memory.dmp

Filesize
172KB

Download
memory/1300-83-0x0000000004130000-0x00000000041EE000-memory.dmp

Filesize
760KB

Download
memory/1300-81-0x0000000004130000-0x00000000041EE000-memory.dmp

Filesize
760KB

Download
memory/1300-74-0x0000000004400000-0x00000000044D0000-memory.dmp

Filesize
832KB

Download
memory/1624-89-0x0000000000350000-0x0000000000370000-memory.dmp

Filesize
128KB

Download
memory/1624-85-0x0000000000000000-mapping.dmp

Download
memory/1624-88-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/1696-70-0x000000006E790000-0x000000006ED3B000-memory.dmp

Filesize
5.7MB

Download
memory/1696-59-0x0000000000000000-mapping.dmp

Download
memory/1940-73-0x00000000001A0000-0x00000000001B1000-memory.dmp

Filesize
68KB

Download
memory/1940-72-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download
memory/1940-71-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1940-68-0x000000000041F270-mapping.dmp

Download
memory/1940-67-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1940-65-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1940-64-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2020-54-0x00000000010A0000-0x0000000001176000-memory.dmp

Filesize
856KB

Download
memory/2020-63-0x0000000000ED0000-0x0000000000F02000-memory.dmp

Filesize
200KB

Download
memory/2020-58-0x0000000005CB0000-0x0000000005D1A000-memory.dmp

Filesize
424KB

Download
memory/2020-57-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2020-56-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/2020-55-0x00000000755C1000-0x00000000755C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads