xloader | d24e3ddbed42b77cee50ff8a06e7414910d755cf2635eadf35b51091c8cba010

General

Target

9Vpz6YEQuRqDljF.exe
Size

664KB
MD5

ff73f2e9be581f3bbbaee6438a9ffa67
SHA1

6a77722a024580b6756120b1e0e358898557e129
SHA256

d24e3ddbed42b77cee50ff8a06e7414910d755cf2635eadf35b51091c8cba010
SHA512

b0b2c21cb7952d7b315671027c1af8ee46a684f42b50f50bac72787680290dc95f5ad9eb7451c0cec7fe4cc2b1f0ef22304a0beb877c8708f84515f952e8411f

Score

10^/10

xloader loader persistence rat suricata

Malware Config

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2040-63-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/2040-64-0x0000000000420070-mapping.dmp	xloader
behavioral1/memory/2040-66-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/2044-74-0x0000000000080000-0x00000000000AC000-memory.dmp	xloader
behavioral1/memory/2044-78-0x0000000000080000-0x00000000000AC000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9Vpz6YEQuRqDljF.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation	9Vpz6YEQuRqDljF.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1636 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

control.exe

pid process

2044 control.exe

pid	process
1636	cmd.exe

pid	process
2044	control.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	control.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\K6AHB4BP2T = "C:\\Program Files (x86)\\Bytktnti\\chkdsknjd0zdj.exe"	control.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

9Vpz6YEQuRqDljF.exe9Vpz6YEQuRqDljF.execontrol.exe

description	pid	process	target process
PID 964 set thread context of 2040	964	9Vpz6YEQuRqDljF.exe	9Vpz6YEQuRqDljF.exe
PID 2040 set thread context of 1220	2040	9Vpz6YEQuRqDljF.exe	Explorer.EXE
PID 2044 set thread context of 1220	2044	control.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

control.exe

description ioc process

File opened for modification C:\Program Files (x86)\Bytktnti\chkdsknjd0zdj.exe control.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Bytktnti\chkdsknjd0zdj.exe	control.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

9Vpz6YEQuRqDljF.exe9Vpz6YEQuRqDljF.execontrol.exe

pid	process
964	9Vpz6YEQuRqDljF.exe
2040	9Vpz6YEQuRqDljF.exe
2040	9Vpz6YEQuRqDljF.exe
2044	control.exe
2044	control.exe
2044	control.exe
2044	control.exe
2044	control.exe
2044	control.exe
2044	control.exe
2044	control.exe
2044	control.exe
2044	control.exe
2044	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

9Vpz6YEQuRqDljF.execontrol.exe

pid process

2040 9Vpz6YEQuRqDljF.exe
2040 9Vpz6YEQuRqDljF.exe
2040 9Vpz6YEQuRqDljF.exe
2044 control.exe
2044 control.exe
2044 control.exe
2044 control.exe

pid	process
2040	9Vpz6YEQuRqDljF.exe
2040	9Vpz6YEQuRqDljF.exe
2040	9Vpz6YEQuRqDljF.exe
2044	control.exe
2044	control.exe
2044	control.exe
2044	control.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

9Vpz6YEQuRqDljF.exe9Vpz6YEQuRqDljF.execontrol.exe

description	pid	process
Token: SeDebugPrivilege	964	9Vpz6YEQuRqDljF.exe
Token: SeDebugPrivilege	2040	9Vpz6YEQuRqDljF.exe
Token: SeDebugPrivilege	2044	control.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE

Suspicious use of SendNotifyMessage 53 IoCs

Processes:

Explorer.EXE

pid	process
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

9Vpz6YEQuRqDljF.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 964 wrote to memory of 2036	964	9Vpz6YEQuRqDljF.exe	9Vpz6YEQuRqDljF.exe
PID 964 wrote to memory of 2036	964	9Vpz6YEQuRqDljF.exe	9Vpz6YEQuRqDljF.exe
PID 964 wrote to memory of 2036	964	9Vpz6YEQuRqDljF.exe	9Vpz6YEQuRqDljF.exe
PID 964 wrote to memory of 2036	964	9Vpz6YEQuRqDljF.exe	9Vpz6YEQuRqDljF.exe
PID 964 wrote to memory of 2040	964	9Vpz6YEQuRqDljF.exe	9Vpz6YEQuRqDljF.exe
PID 964 wrote to memory of 2040	964	9Vpz6YEQuRqDljF.exe	9Vpz6YEQuRqDljF.exe
PID 964 wrote to memory of 2040	964	9Vpz6YEQuRqDljF.exe	9Vpz6YEQuRqDljF.exe
PID 964 wrote to memory of 2040	964	9Vpz6YEQuRqDljF.exe	9Vpz6YEQuRqDljF.exe
PID 964 wrote to memory of 2040	964	9Vpz6YEQuRqDljF.exe	9Vpz6YEQuRqDljF.exe
PID 964 wrote to memory of 2040	964	9Vpz6YEQuRqDljF.exe	9Vpz6YEQuRqDljF.exe
PID 964 wrote to memory of 2040	964	9Vpz6YEQuRqDljF.exe	9Vpz6YEQuRqDljF.exe
PID 1220 wrote to memory of 2044	1220	Explorer.EXE	control.exe
PID 1220 wrote to memory of 2044	1220	Explorer.EXE	control.exe
PID 1220 wrote to memory of 2044	1220	Explorer.EXE	control.exe
PID 1220 wrote to memory of 2044	1220	Explorer.EXE	control.exe
PID 2044 wrote to memory of 1636	2044	control.exe	cmd.exe
PID 2044 wrote to memory of 1636	2044	control.exe	cmd.exe
PID 2044 wrote to memory of 1636	2044	control.exe	cmd.exe
PID 2044 wrote to memory of 1636	2044	control.exe	cmd.exe
PID 2044 wrote to memory of 1384	2044	control.exe	Firefox.exe
PID 2044 wrote to memory of 1384	2044	control.exe	Firefox.exe
PID 2044 wrote to memory of 1384	2044	control.exe	Firefox.exe
PID 2044 wrote to memory of 1384	2044	control.exe	Firefox.exe
PID 2044 wrote to memory of 1384	2044	control.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\9Vpz6YEQuRqDljF.exe
"C:\Users\Admin\AppData\Local\Temp\9Vpz6YEQuRqDljF.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Local\Temp\9Vpz6YEQuRqDljF.exe
"C:\Users\Admin\AppData\Local\Temp\9Vpz6YEQuRqDljF.exe"
3⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\9Vpz6YEQuRqDljF.exe
"C:\Users\Admin\AppData\Local\Temp\9Vpz6YEQuRqDljF.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\9Vpz6YEQuRqDljF.exe"
3⤵
- Deletes itself
PID:1636

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
650KB

MD5
5c73e64374d9ba37ac5569d1f7de5c9b

SHA1
592e26ffea429b30e0a648720b43739d2ff5e590

SHA256
5d0a5018218dbc363909a7eb915a763863cfbcad6d1a6231eb20633d098d57c7

SHA512
c0cfaf1bd497a799b3480a268bc4d2548d139f3f4b9f1ed41b09cd4c934d285b0ca36c1c3f45f8718feb50274bce1897939d0dfe612e26010c8bbaf004fe8905

Download Submit
memory/964-55-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/964-56-0x00000000003A0000-0x00000000003C0000-memory.dmp

Filesize
128KB

Download
memory/964-57-0x00000000006D0000-0x00000000006DE000-memory.dmp

Filesize
56KB

Download
memory/964-58-0x0000000005830000-0x00000000058AA000-memory.dmp

Filesize
488KB

Download
memory/964-59-0x0000000004AB0000-0x0000000004AE2000-memory.dmp

Filesize
200KB

Download
memory/964-54-0x0000000001310000-0x00000000013BC000-memory.dmp

Filesize
688KB

Download
memory/1220-69-0x0000000004BA0000-0x0000000004CC6000-memory.dmp

Filesize
1.1MB

Download
memory/1220-79-0x0000000004CD0000-0x0000000004DA8000-memory.dmp

Filesize
864KB

Download
memory/1220-77-0x0000000004CD0000-0x0000000004DA8000-memory.dmp

Filesize
864KB

Download
memory/1636-72-0x0000000000000000-mapping.dmp

Download
memory/2040-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2040-67-0x0000000000820000-0x0000000000B23000-memory.dmp

Filesize
3.0MB

Download
memory/2040-68-0x0000000000140000-0x0000000000151000-memory.dmp

Filesize
68KB

Download
memory/2040-66-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2040-64-0x0000000000420070-mapping.dmp

Download
memory/2040-63-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2040-61-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2044-70-0x0000000000000000-mapping.dmp

Download
memory/2044-73-0x0000000000FE0000-0x0000000000FFF000-memory.dmp

Filesize
124KB

Download
memory/2044-74-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2044-75-0x0000000000BD0000-0x0000000000ED3000-memory.dmp

Filesize
3.0MB

Download
memory/2044-76-0x0000000000990000-0x0000000000A20000-memory.dmp

Filesize
576KB

Download
memory/2044-78-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads