xloader | 9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f

Analysis

max time kernel
148s
max time network
151s
platform
windows10_x64
resource
win10-20220414-en
resource tags

arch:x64arch:x86image:win10-20220414-enlocale:en-usos:windows10-1703-x64system
submitted
27-07-2022 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f.exe
Size

263KB
MD5

ab2dc0156b13dc57b25ebc3f83fac7c3
SHA1

944401ca96dd092e0e66646ce00f03e5881b37e8
SHA256

9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f
SHA512

2bbca40a977c511fdde66145129fd85aaebe5e9be68781d3aa9049dc24f5ed6b380c4ea790f54ceed1a9faf0977bc31f785e336f7c98c3f932f6aec163c9c292

Score

10^/10

xloader zgtb loader rat

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

zgtb

Decoy

gabriellep.com

honghe4.xyz

anisaofrendas.com

happy-tile.com

thesulkies.com

international-ipo.com

tazeco.info

hhhzzz.xyz

vrmonster.xyz

theearthresidencia.com

sportape.xyz

elshadaibaterias.com

koredeiihibi.com

taxtaa.com

globalcityb.com

fxivcama.com

dagsmith.com

elmar-bhp.com

peakice.net

jhcdjewelry.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3532-165-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/3532-166-0x000000000041F1F0-mapping.dmp	xloader
behavioral1/memory/3532-197-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/4628-211-0x00000000027A0000-0x00000000027CB000-memory.dmp	xloader
behavioral1/memory/4628-229-0x00000000027A0000-0x00000000027CB000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f.execvtres.exesystray.exe

description	pid	process	target process
PID 2380 set thread context of 3532	2380	9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f.exe	cvtres.exe
PID 3532 set thread context of 3004	3532	cvtres.exe	Explorer.EXE
PID 4628 set thread context of 3004	4628	systray.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f.execvtres.exesystray.exe

pid	process
2380	9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f.exe
2380	9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f.exe
3532	cvtres.exe
3532	cvtres.exe
3532	cvtres.exe
3532	cvtres.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe
4628	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3004 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

cvtres.exesystray.exe

pid process

3532 cvtres.exe
3532 cvtres.exe
3532 cvtres.exe
4628 systray.exe
4628 systray.exe

pid	process
3004	Explorer.EXE

pid	process
3532	cvtres.exe
3532	cvtres.exe
3532	cvtres.exe
4628	systray.exe
4628	systray.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f.execvtres.exesystray.exe

description	pid	process
Token: SeDebugPrivilege	2380	9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f.exe
Token: SeDebugPrivilege	3532	cvtres.exe
Token: SeDebugPrivilege	4628	systray.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 2380 wrote to memory of 3456	2380	9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f.exe	cvtres.exe
PID 2380 wrote to memory of 3456	2380	9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f.exe	cvtres.exe
PID 2380 wrote to memory of 3456	2380	9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f.exe	cvtres.exe
PID 2380 wrote to memory of 3532	2380	9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f.exe	cvtres.exe
PID 2380 wrote to memory of 3532	2380	9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f.exe	cvtres.exe
PID 2380 wrote to memory of 3532	2380	9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f.exe	cvtres.exe
PID 2380 wrote to memory of 3532	2380	9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f.exe	cvtres.exe
PID 2380 wrote to memory of 3532	2380	9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f.exe	cvtres.exe
PID 2380 wrote to memory of 3532	2380	9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f.exe	cvtres.exe
PID 3004 wrote to memory of 4628	3004	Explorer.EXE	systray.exe
PID 3004 wrote to memory of 4628	3004	Explorer.EXE	systray.exe
PID 3004 wrote to memory of 4628	3004	Explorer.EXE	systray.exe
PID 4628 wrote to memory of 2028	4628	systray.exe	cmd.exe
PID 4628 wrote to memory of 2028	4628	systray.exe	cmd.exe
PID 4628 wrote to memory of 2028	4628	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3004

C:\Users\Admin\AppData\Local\Temp\9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f.exe
"C:\Users\Admin\AppData\Local\Temp\9a4cfaaed6a9352cebb8dcb725c512ac943a7d9878329cefc9355f00d744916f.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
3⤵
PID:3456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4600

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4620

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4616

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
3⤵
PID:2028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2028-218-0x0000000000000000-mapping.dmp

Download
memory/2380-157-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-150-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-120-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-121-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-122-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-123-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-124-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-125-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-126-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-127-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-128-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-129-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-130-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-131-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-132-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-160-0x0000000003030000-0x0000000003064000-memory.dmp

Filesize
208KB

Download
memory/2380-134-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-135-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-136-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-137-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-138-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-139-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-140-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-141-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-143-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-142-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-144-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-145-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-146-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-147-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-148-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-149-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-159-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-151-0x0000000000E30000-0x0000000000E74000-memory.dmp

Filesize
272KB

Download
memory/2380-152-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-153-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-154-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-155-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-158-0x0000000005610000-0x0000000005644000-memory.dmp

Filesize
208KB

Download
memory/2380-118-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-156-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-119-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-133-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-161-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-162-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-163-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-164-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2380-168-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-194-0x00000000067E0000-0x0000000006967000-memory.dmp

Filesize
1.5MB

Download
memory/3004-226-0x00000000067E0000-0x0000000006967000-memory.dmp

Filesize
1.5MB

Download
memory/3004-231-0x0000000002700000-0x0000000002844000-memory.dmp

Filesize
1.3MB

Download
memory/3004-228-0x0000000002700000-0x0000000002844000-memory.dmp

Filesize
1.3MB

Download
memory/3532-170-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3532-185-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3532-182-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3532-171-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3532-184-0x0000000004F70000-0x0000000005290000-memory.dmp

Filesize
3.1MB

Download
memory/3532-174-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3532-176-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3532-177-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3532-178-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3532-179-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3532-180-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3532-166-0x000000000041F1F0-mapping.dmp

Download
memory/3532-167-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3532-173-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3532-186-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3532-169-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3532-187-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3532-188-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/3532-193-0x0000000005470000-0x0000000005481000-memory.dmp

Filesize
68KB

Download
memory/3532-197-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3532-165-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3532-181-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/4628-210-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/4628-211-0x00000000027A0000-0x00000000027CB000-memory.dmp

Filesize
172KB

Download
memory/4628-224-0x00000000043E0000-0x0000000004700000-memory.dmp

Filesize
3.1MB

Download
memory/4628-227-0x0000000004240000-0x00000000043DA000-memory.dmp

Filesize
1.6MB

Download
memory/4628-229-0x00000000027A0000-0x00000000027CB000-memory.dmp

Filesize
172KB

Download
memory/4628-230-0x0000000004240000-0x00000000043DA000-memory.dmp

Filesize
1.6MB

Download
memory/4628-195-0x0000000000000000-mapping.dmp

Download