xloader | 2510a64e022d6fa641f39da3bf2fc4d74cd00fb50b6bf0a77ab559c0af51245b

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2510a64e022d6fa641f39da3bf2fc4d74cd00fb50b6bf0a77ab559c0af51245b.exe
Size

206KB
MD5

bdf87b4a29e49c1600fe706db9e8cb32
SHA1

b43ee84e788f95271f5605368b4e3889313ad92b
SHA256

2510a64e022d6fa641f39da3bf2fc4d74cd00fb50b6bf0a77ab559c0af51245b
SHA512

bfb44e54994d58110b61e5a63ca9f67acfb01e165dff5892676318504d3a894d4d723b04bb1fd8e2e9550d4ca415ad5affd707528b5b1d694669a0b6edf3c1f6
SSDEEP

6144:59X0GphY2H0ThHcKuhcC5KCPizFV3hWO/+r4lxajH2Qqsn:/0AT0TwcK/ZScjWe

Score

10^/10

xloader jzvu loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

jzvu

Decoy

rezabird.com

amthebomb.com

cqfsc.net

scottgesslerdesign.com

australianhempco.com

digitalkn.com

theoneandonlytattoostudio.com

chaing-list.xyz

technicaljanu.com

tigerkid.net

mels.ink

adassadelacruz.com

deep-freezers.xyz

kundanbangles.com

88840678.com

xiaonaphotography.online

john-heer-stuttgart.com

gumrukihalesi.com

veekasdoshi.com

purathanam.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4976-141-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4976-146-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1576-148-0x00000000003A0000-0x00000000003C9000-memory.dmp	xloader
behavioral2/memory/1576-153-0x00000000003A0000-0x00000000003C9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

ob2ae.exeob2ae.exe

pid process

3956 ob2ae.exe
4976 ob2ae.exe
Loads dropped DLL 1 IoCs

Processes:

ob2ae.exe

pid process

3956 ob2ae.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ob2ae.exeob2ae.exesystray.exe

description	pid	process	target process
PID 3956 set thread context of 4976	3956	ob2ae.exe	ob2ae.exe
PID 4976 set thread context of 2056	4976	ob2ae.exe	Explorer.EXE
PID 1576 set thread context of 2056	1576	systray.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ob2ae.exeob2ae.exesystray.exe

pid	process
3956	ob2ae.exe
3956	ob2ae.exe
3956	ob2ae.exe
3956	ob2ae.exe
3956	ob2ae.exe
3956	ob2ae.exe
3956	ob2ae.exe
3956	ob2ae.exe
4976	ob2ae.exe
4976	ob2ae.exe
4976	ob2ae.exe
4976	ob2ae.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe
1576	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2056 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

ob2ae.exeob2ae.exesystray.exe

pid process

3956 ob2ae.exe
4976 ob2ae.exe
4976 ob2ae.exe
4976 ob2ae.exe
1576 systray.exe
1576 systray.exe

pid	process
2056	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

ob2ae.exesystray.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4976	ob2ae.exe
Token: SeDebugPrivilege	1576	systray.exe
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

2510a64e022d6fa641f39da3bf2fc4d74cd00fb50b6bf0a77ab559c0af51245b.exeob2ae.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 1652 wrote to memory of 3956	1652	2510a64e022d6fa641f39da3bf2fc4d74cd00fb50b6bf0a77ab559c0af51245b.exe	ob2ae.exe
PID 1652 wrote to memory of 3956	1652	2510a64e022d6fa641f39da3bf2fc4d74cd00fb50b6bf0a77ab559c0af51245b.exe	ob2ae.exe
PID 1652 wrote to memory of 3956	1652	2510a64e022d6fa641f39da3bf2fc4d74cd00fb50b6bf0a77ab559c0af51245b.exe	ob2ae.exe
PID 3956 wrote to memory of 4976	3956	ob2ae.exe	ob2ae.exe
PID 3956 wrote to memory of 4976	3956	ob2ae.exe	ob2ae.exe
PID 3956 wrote to memory of 4976	3956	ob2ae.exe	ob2ae.exe
PID 3956 wrote to memory of 4976	3956	ob2ae.exe	ob2ae.exe
PID 2056 wrote to memory of 1576	2056	Explorer.EXE	systray.exe
PID 2056 wrote to memory of 1576	2056	Explorer.EXE	systray.exe
PID 2056 wrote to memory of 1576	2056	Explorer.EXE	systray.exe
PID 1576 wrote to memory of 2012	1576	systray.exe	cmd.exe
PID 1576 wrote to memory of 2012	1576	systray.exe	cmd.exe
PID 1576 wrote to memory of 2012	1576	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056

C:\Users\Admin\AppData\Local\Temp\2510a64e022d6fa641f39da3bf2fc4d74cd00fb50b6bf0a77ab559c0af51245b.exe
"C:\Users\Admin\AppData\Local\Temp\2510a64e022d6fa641f39da3bf2fc4d74cd00fb50b6bf0a77ab559c0af51245b.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\ob2ae.exe
"C:\Users\Admin\AppData\Local\Temp\ob2ae.exe" "C:\Users\Admin\AppData\Local\Temp\4lqay.dll" "C:\Users\Admin\AppData\Local\Temp\ivoelj.hvz"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3956

C:\Users\Admin\AppData\Local\Temp\ob2ae.exe
"C:\Users\Admin\AppData\Local\Temp\ob2ae.exe" "C:\Users\Admin\AppData\Local\Temp\4lqay.dll" "C:\Users\Admin\AppData\Local\Temp\ivoelj.hvz"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ob2ae.exe"
3⤵
PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4lqay.dll
Filesize
11KB

MD5
7032c76118387d4a5d68c62edf0644f1

SHA1
749e8f835e571f223d209411112b5bb19bc39f3a

SHA256
6a7631b2b91e17dc80db014d669f55566743a8c6da19efd8107b4978318b7384

SHA512
dc4c91d694cf3204585640d12466de2905f4a1c9984551591278efd4dbe89bf6d7b951e93c8953736bd9a6cab09bbbc3acc36f9ddc34c806cc308bb04b27e401

Download Submit
C:\Users\Admin\AppData\Local\Temp\4lqay.dll
Filesize
11KB

MD5
7032c76118387d4a5d68c62edf0644f1

SHA1
749e8f835e571f223d209411112b5bb19bc39f3a

SHA256
6a7631b2b91e17dc80db014d669f55566743a8c6da19efd8107b4978318b7384

SHA512
dc4c91d694cf3204585640d12466de2905f4a1c9984551591278efd4dbe89bf6d7b951e93c8953736bd9a6cab09bbbc3acc36f9ddc34c806cc308bb04b27e401

Download Submit
C:\Users\Admin\AppData\Local\Temp\ivoelj.hvz
Filesize
161KB

MD5
61c58c7c0149b657ece378dc40564d48

SHA1
d67c30870fb297a9331b74011a4c39dc62cbdf60

SHA256
044414965ba79ee42155a97806a21280ba4d8463d504cbfb7bf8a5f18ca49232

SHA512
df1786f3c49294d7a1607ccd3f1fcd022668822bc73f6ac727cc61829946c64dc35ceed9ee0ba6a11fa7f3ac361ef4534e05d44b5f31fb4bdc53e8a78fea5d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\ob2ae.exe
Filesize
3KB

MD5
8b8ee15ca32a0917d66bbe13f44c2fac

SHA1
bf61cc091af298a9bd1f3fd0ee1f0892b8aa156a

SHA256
bd82af121192a4ab12b7e24f1e5bfa06ea6d78fe28d275cd710885e2de712a52

SHA512
7c81329aee49702359f3ea9bde1ac78b0f205dd50a8073adc694d314a461ccbdb7b898f935b2d234ec8d76fd44f266035e2a5a4dc30b74cf59d927d3b079f449

Download Submit
C:\Users\Admin\AppData\Local\Temp\ob2ae.exe
Filesize
3KB

MD5
8b8ee15ca32a0917d66bbe13f44c2fac

SHA1
bf61cc091af298a9bd1f3fd0ee1f0892b8aa156a

SHA256
bd82af121192a4ab12b7e24f1e5bfa06ea6d78fe28d275cd710885e2de712a52

SHA512
7c81329aee49702359f3ea9bde1ac78b0f205dd50a8073adc694d314a461ccbdb7b898f935b2d234ec8d76fd44f266035e2a5a4dc30b74cf59d927d3b079f449

Download Submit
C:\Users\Admin\AppData\Local\Temp\ob2ae.exe
Filesize
3KB

MD5
8b8ee15ca32a0917d66bbe13f44c2fac

SHA1
bf61cc091af298a9bd1f3fd0ee1f0892b8aa156a

SHA256
bd82af121192a4ab12b7e24f1e5bfa06ea6d78fe28d275cd710885e2de712a52

SHA512
7c81329aee49702359f3ea9bde1ac78b0f205dd50a8073adc694d314a461ccbdb7b898f935b2d234ec8d76fd44f266035e2a5a4dc30b74cf59d927d3b079f449

Download Submit
memory/1576-147-0x0000000000410000-0x0000000000416000-memory.dmp

Filesize
24KB

Download
memory/1576-153-0x00000000003A0000-0x00000000003C9000-memory.dmp

Filesize
164KB

Download
memory/1576-151-0x00000000022D0000-0x000000000235F000-memory.dmp

Filesize
572KB

Download
memory/1576-150-0x0000000002590000-0x00000000028DA000-memory.dmp

Filesize
3.3MB

Download
memory/1576-148-0x00000000003A0000-0x00000000003C9000-memory.dmp

Filesize
164KB

Download
memory/1576-145-0x0000000000000000-mapping.dmp

Download
memory/2012-149-0x0000000000000000-mapping.dmp

Download
memory/2056-176-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/2056-182-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-220-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-219-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-218-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-217-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-152-0x00000000081B0000-0x0000000008259000-memory.dmp

Filesize
676KB

Download
memory/2056-216-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-215-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-155-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-154-0x00000000081B0000-0x0000000008259000-memory.dmp

Filesize
676KB

Download
memory/2056-156-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-157-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-159-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-158-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-160-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-161-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-162-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-163-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-164-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-165-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-166-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-167-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-168-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-169-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-170-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-171-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-172-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/2056-173-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/2056-174-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/2056-175-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/2056-144-0x0000000002D00000-0x0000000002DFD000-memory.dmp

Filesize
1012KB

Download
memory/2056-177-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-178-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-179-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-180-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-181-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-214-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-183-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-184-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-185-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-186-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-187-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-188-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-189-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-190-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-191-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-192-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-193-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-194-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/2056-195-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2056-196-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2056-197-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/2056-198-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2056-199-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2056-200-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-201-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-202-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-203-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-206-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/2056-204-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-208-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-209-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-205-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-210-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-211-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-213-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-212-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/3956-132-0x0000000000000000-mapping.dmp

Download
memory/3956-140-0x0000000074F80000-0x0000000074F86000-memory.dmp

Filesize
24KB

Download
memory/4976-146-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4976-138-0x0000000000000000-mapping.dmp

Download
memory/4976-141-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4976-142-0x0000000000A40000-0x0000000000D8A000-memory.dmp

Filesize
3.3MB

Download
memory/4976-143-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download