xloader | 436b6a6031748458ed3e78927394bf124d79e779ccb81eb7329beb9eaa3e9b17

Analysis

max time kernel
150s
max time network
150s
platform
windows10_x64
resource
win10-20220414-en
submitted
22-06-2022 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.exe
Size

893KB
MD5

001572ce1d689cab9270948ca76d61c0
SHA1

5d833185231eca4887b43a87842f17e1970216c8
SHA256

436b6a6031748458ed3e78927394bf124d79e779ccb81eb7329beb9eaa3e9b17
SHA512

82f754e319e765aa3c756483d10f3d8415b458bc75c1c3d2bb1f2fd39e8b68adc20fa1640f0d9d00634f2efe9f0cff7bc423b55cded390665794c1e24a045ff5

Score

10^/10

xloader nn40 loader rat spyware stealer suricata

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

nn40

Decoy

LYAg0yANOGEAGeaFOrA/

MQWuERZplP+VZy/uszI=

CF0oDN0JimIaGy/uszI=

ltJnyC+ReohYaiTvj1qbEA==

B9OkgdctVKBAFjSUaw==

sbDVwSZVVqVB11/deow8GA==

v1gHDe0pzno=

i+/0n2vHUfGPR98k77tukZ90MQ==

SUtCnbS96Qm21g==

8X9qzyt1dpAo31jXrXfKb49fBPY=

5KlPxqHzSstuFjSUaw==

0r/Kesv/zuanroxvNQW0Gm8=

FFgS7kfPYAqpdhhgRgnBJHY=

LgusAHrkrIoWr0FWIe2o/04UXPw=

vBq9Gvxa9wbKbS/uszI=

Z+q6HAZNNeqwwQ==

wbS4fMb06SjU5Kbseow8GA==

1mZEuZvJ/m0L9bof56PkkZ90MQ==

JCJIM74lHk/o+tiFOrA/

d14FrM8rGEgIzVkT67+3XaEh

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3648-184-0x000000000041F640-mapping.dmp	xloader
behavioral2/memory/3648-183-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/3648-199-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/3136-237-0x0000000000BA0000-0x0000000000BCC000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Purchase Order.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Control Panel\International\Geo\Nation	Purchase Order.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

Purchase Order.exePurchase Order.exewscript.exe

description	pid	process	target process
PID 4796 set thread context of 3648	4796	Purchase Order.exe	Purchase Order.exe
PID 3648 set thread context of 3168	3648	Purchase Order.exe	Explorer.EXE
PID 3136 set thread context of 3168	3136	wscript.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4236190499-842014725-259441995-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wscript.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

Purchase Order.exewscript.exe

pid	process
3648	Purchase Order.exe
3648	Purchase Order.exe
3648	Purchase Order.exe
3648	Purchase Order.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe
3136	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3168 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

Purchase Order.exewscript.exe

pid process

3648 Purchase Order.exe
3648 Purchase Order.exe
3648 Purchase Order.exe
3136 wscript.exe
3136 wscript.exe
3136 wscript.exe
3136 wscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Purchase Order.exewscript.exe

description pid process

Token: SeDebugPrivilege 3648 Purchase Order.exe
Token: SeDebugPrivilege 3136 wscript.exe

pid	process
3168	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3648	Purchase Order.exe
Token: SeDebugPrivilege	3136	wscript.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Purchase Order.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 4796 wrote to memory of 3648	4796	Purchase Order.exe	Purchase Order.exe
PID 4796 wrote to memory of 3648	4796	Purchase Order.exe	Purchase Order.exe
PID 4796 wrote to memory of 3648	4796	Purchase Order.exe	Purchase Order.exe
PID 4796 wrote to memory of 3648	4796	Purchase Order.exe	Purchase Order.exe
PID 4796 wrote to memory of 3648	4796	Purchase Order.exe	Purchase Order.exe
PID 4796 wrote to memory of 3648	4796	Purchase Order.exe	Purchase Order.exe
PID 3168 wrote to memory of 3136	3168	Explorer.EXE	wscript.exe
PID 3168 wrote to memory of 3136	3168	Explorer.EXE	wscript.exe
PID 3168 wrote to memory of 3136	3168	Explorer.EXE	wscript.exe
PID 3136 wrote to memory of 3708	3136	wscript.exe	cmd.exe
PID 3136 wrote to memory of 3708	3136	wscript.exe	cmd.exe
PID 3136 wrote to memory of 3708	3136	wscript.exe	cmd.exe
PID 3136 wrote to memory of 4536	3136	wscript.exe	Firefox.exe
PID 3136 wrote to memory of 4536	3136	wscript.exe	Firefox.exe
PID 3136 wrote to memory of 4536	3136	wscript.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3168

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4796

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:3708

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
memory/3136-239-0x0000000001240000-0x00000000012D0000-memory.dmp

Filesize
576KB

Download
memory/3136-211-0x0000000000000000-mapping.dmp

Download
memory/3136-237-0x0000000000BA0000-0x0000000000BCC000-memory.dmp

Filesize
176KB

Download
memory/3136-238-0x0000000004780000-0x0000000004AA0000-memory.dmp

Filesize
3.1MB

Download
memory/3136-236-0x0000000001350000-0x0000000001377000-memory.dmp

Filesize
156KB

Download
memory/3168-240-0x0000000001100000-0x00000000011B2000-memory.dmp

Filesize
712KB

Download
memory/3168-241-0x0000000001100000-0x00000000011B2000-memory.dmp

Filesize
712KB

Download
memory/3168-210-0x0000000005640000-0x00000000057D0000-memory.dmp

Filesize
1.6MB

Download
memory/3648-184-0x000000000041F640-mapping.dmp

Download
memory/3648-183-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3648-185-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/3648-186-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/3648-187-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/3648-203-0x0000000001610000-0x0000000001621000-memory.dmp

Filesize
68KB

Download
memory/3648-201-0x0000000001AC0000-0x0000000001DE0000-memory.dmp

Filesize
3.1MB

Download
memory/3648-199-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3708-271-0x0000000000000000-mapping.dmp

Download
memory/4796-151-0x00000000050D0000-0x00000000055CE000-memory.dmp

Filesize
5.0MB

Download
memory/4796-160-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-129-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-130-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-132-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-131-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-133-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-134-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-136-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-135-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-137-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-138-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-140-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-139-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-141-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-142-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-143-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-144-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-145-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-146-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-147-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-148-0x00000000002C0000-0x00000000003A6000-memory.dmp

Filesize
920KB

Download
memory/4796-149-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-150-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-127-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-152-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-153-0x0000000004C70000-0x0000000004D02000-memory.dmp

Filesize
584KB

Download
memory/4796-154-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-155-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-156-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-157-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-158-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-159-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-161-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-162-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-128-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-163-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-164-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-165-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-166-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-167-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-168-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-169-0x0000000004C00000-0x0000000004C0A000-memory.dmp

Filesize
40KB

Download
memory/4796-170-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-171-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-172-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-173-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-174-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-175-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-176-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-177-0x0000000004C60000-0x0000000004C6E000-memory.dmp

Filesize
56KB

Download
memory/4796-126-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-125-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-124-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-123-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-122-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-121-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-120-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-119-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-118-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-116-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-117-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-115-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-114-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-178-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4796-179-0x0000000008240000-0x000000000824A000-memory.dmp

Filesize
40KB

Download
memory/4796-180-0x00000000082D0000-0x000000000833A000-memory.dmp

Filesize
424KB

Download
memory/4796-181-0x00000000083F0000-0x000000000848C000-memory.dmp

Filesize
624KB

Download
memory/4796-182-0x0000000008360000-0x0000000008392000-memory.dmp

Filesize
200KB

Download