xloader | 7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f

General

Target

7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f.exe
Size

226KB
MD5

403a0ec6b998f324dda677547ac8ec79
SHA1

2e9fcc41db347d053ec58de6881527a9f529edef
SHA256

7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f
SHA512

0608941d064e2e3121ee4a02dba4f486ba7c997b14405b2e6d63102566bb65fbc242bb25ef424b5f1ddf07e7bc7e8226b916a00e85fc6d8d2408e966cbeb891b
SSDEEP

3072:qyiLF8DnmJpNG/f90oL1yq8ogAQLxLmqjPXrxgUuUj14xy9WmfvuuWlAqXJeDg+P:qGV/l0oL1TToMqTVgfUs8efDJe81aL9f

Score

10^/10

xloader dx3n loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dx3n

Decoy

polebear.xyz

luciamoca.com

185451.com

bookfriendspodcast.net

reliancetechsolutions.com

wuzuiso.com

ig-representative.com

ryotaohno.com

wlnhcl.com

oasispoolth.com

fo71.com

storyandidentity.com

sayarpro.com

arrow-electronics-corps.net

brasbux.com

nigeriaafricasummit.com

choud.store

medicareopenenrollment.info

amlhcz.com

fdklflkdioerklfdke.store

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/628-138-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/628-141-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3152-148-0x0000000000CD0000-0x0000000000CF9000-memory.dmp	xloader
behavioral2/memory/3152-151-0x0000000000CD0000-0x0000000000CF9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

rcviyqs.exercviyqs.exe

pid process

4792 rcviyqs.exe
628 rcviyqs.exe

pid	process
4792	rcviyqs.exe
628	rcviyqs.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

rcviyqs.exercviyqs.exechkdsk.exe

description	pid	process	target process
PID 4792 set thread context of 628	4792	rcviyqs.exe	rcviyqs.exe
PID 628 set thread context of 2080	628	rcviyqs.exe	Explorer.EXE
PID 3152 set thread context of 2080	3152	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

rcviyqs.exechkdsk.exe

pid	process
628	rcviyqs.exe
628	rcviyqs.exe
628	rcviyqs.exe
628	rcviyqs.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe
3152	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2080 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

rcviyqs.exechkdsk.exe

pid process

628 rcviyqs.exe
628 rcviyqs.exe
628 rcviyqs.exe
3152 chkdsk.exe
3152 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rcviyqs.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 628 rcviyqs.exe
Token: SeDebugPrivilege 3152 chkdsk.exe

pid	process
2080	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	628	rcviyqs.exe
Token: SeDebugPrivilege	3152	chkdsk.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f.exercviyqs.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 2016 wrote to memory of 4792	2016	7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f.exe	rcviyqs.exe
PID 2016 wrote to memory of 4792	2016	7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f.exe	rcviyqs.exe
PID 2016 wrote to memory of 4792	2016	7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f.exe	rcviyqs.exe
PID 4792 wrote to memory of 628	4792	rcviyqs.exe	rcviyqs.exe
PID 4792 wrote to memory of 628	4792	rcviyqs.exe	rcviyqs.exe
PID 4792 wrote to memory of 628	4792	rcviyqs.exe	rcviyqs.exe
PID 4792 wrote to memory of 628	4792	rcviyqs.exe	rcviyqs.exe
PID 4792 wrote to memory of 628	4792	rcviyqs.exe	rcviyqs.exe
PID 4792 wrote to memory of 628	4792	rcviyqs.exe	rcviyqs.exe
PID 2080 wrote to memory of 3152	2080	Explorer.EXE	chkdsk.exe
PID 2080 wrote to memory of 3152	2080	Explorer.EXE	chkdsk.exe
PID 2080 wrote to memory of 3152	2080	Explorer.EXE	chkdsk.exe
PID 3152 wrote to memory of 1704	3152	chkdsk.exe	cmd.exe
PID 3152 wrote to memory of 1704	3152	chkdsk.exe	cmd.exe
PID 3152 wrote to memory of 1704	3152	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2080

C:\Users\Admin\AppData\Local\Temp\7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f.exe
"C:\Users\Admin\AppData\Local\Temp\7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe C:\Users\Admin\AppData\Local\Temp\zdjjwjv
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4792

C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe C:\Users\Admin\AppData\Local\Temp\zdjjwjv
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe"
3⤵
PID:1704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1ywlrkxvvx812p0hw00x
Filesize
163KB

MD5
4ed69a3c1f8ab690c2a2dca2afc8dded

SHA1
e39266fec1bb13a856a02f63a94ad0cbb5835379

SHA256
5ad0d54e33047f593130a63ba5b4d045b843de968c2ab09b3eab4b648b362901

SHA512
6d8a1f0b90e37f2bac77c07802c78524a26a9ac224f86ae6a06f6feef4b80752ae42eca728a8f0bdeb5a2b108c545f998f31d1ed0bd05176e6f94de88980cb34

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
Filesize
56KB

MD5
ca62620c3ef481629e95d16ed9ae0017

SHA1
4d2d3489edefc06534adcf79baba5b8444a12767

SHA256
071720955930988f96661616b256eff1bda2b181ca5b89638782134fc35c6de6

SHA512
cfd026d7ff3c5f78232de23379158421005e9d24415baf808e11f14b283ebb46e34f12c11694db9f1f77ff7535043b7e9f373a08e1813ea400f5081d66bc2cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
Filesize
56KB

MD5
ca62620c3ef481629e95d16ed9ae0017

SHA1
4d2d3489edefc06534adcf79baba5b8444a12767

SHA256
071720955930988f96661616b256eff1bda2b181ca5b89638782134fc35c6de6

SHA512
cfd026d7ff3c5f78232de23379158421005e9d24415baf808e11f14b283ebb46e34f12c11694db9f1f77ff7535043b7e9f373a08e1813ea400f5081d66bc2cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
Filesize
56KB

MD5
ca62620c3ef481629e95d16ed9ae0017

SHA1
4d2d3489edefc06534adcf79baba5b8444a12767

SHA256
071720955930988f96661616b256eff1bda2b181ca5b89638782134fc35c6de6

SHA512
cfd026d7ff3c5f78232de23379158421005e9d24415baf808e11f14b283ebb46e34f12c11694db9f1f77ff7535043b7e9f373a08e1813ea400f5081d66bc2cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdjjwjv
Filesize
5KB

MD5
f6fed7693ed7d2d12d67639bcc14bc81

SHA1
c102b969911458ab547ff88a2f6bed088306621b

SHA256
60471f688a14618266cc6e77046711aad55d1679fea88170fd9250e1c24b59fc

SHA512
911c596347be043945d2670d7b66bd3d5a3885fe068c8cd19c5f5ed110d942630d91d992147f5fc9482043ab913ffcee29b9a83573dde8330ddb702ef3e50294

Download Submit
memory/628-143-0x00000000017E0000-0x00000000017F1000-memory.dmp

Filesize
68KB

Download
memory/628-137-0x0000000000000000-mapping.dmp

Download
memory/628-141-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/628-142-0x0000000001800000-0x0000000001B4A000-memory.dmp

Filesize
3.3MB

Download
memory/628-138-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1704-146-0x0000000000000000-mapping.dmp

Download
memory/2080-152-0x0000000003310000-0x00000000033F1000-memory.dmp

Filesize
900KB

Download
memory/2080-153-0x0000000003310000-0x00000000033F1000-memory.dmp

Filesize
900KB

Download
memory/2080-144-0x0000000008AE0000-0x0000000008C25000-memory.dmp

Filesize
1.3MB

Download
memory/3152-145-0x0000000000000000-mapping.dmp

Download
memory/3152-148-0x0000000000CD0000-0x0000000000CF9000-memory.dmp

Filesize
164KB

Download
memory/3152-149-0x00000000014D0000-0x000000000181A000-memory.dmp

Filesize
3.3MB

Download
memory/3152-150-0x0000000001300000-0x0000000001390000-memory.dmp

Filesize
576KB

Download
memory/3152-151-0x0000000000CD0000-0x0000000000CF9000-memory.dmp

Filesize
164KB

Download
memory/3152-147-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/4792-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads