xloader | 1a41a5bf751fd2deb7cf46b231e45843adc5f036149979de847c053177be2eb8

General

Target

swiftcopy.exe
Size

226KB
MD5

403a0ec6b998f324dda677547ac8ec79
SHA1

2e9fcc41db347d053ec58de6881527a9f529edef
SHA256

7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f
SHA512

0608941d064e2e3121ee4a02dba4f486ba7c997b14405b2e6d63102566bb65fbc242bb25ef424b5f1ddf07e7bc7e8226b916a00e85fc6d8d2408e966cbeb891b
SSDEEP

3072:qyiLF8DnmJpNG/f90oL1yq8ogAQLxLmqjPXrxgUuUj14xy9WmfvuuWlAqXJeDg+P:qGV/l0oL1TToMqTVgfUs8efDJe81aL9f

Score

10^/10

xloader dx3n loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dx3n

Decoy

polebear.xyz

luciamoca.com

185451.com

bookfriendspodcast.net

reliancetechsolutions.com

wuzuiso.com

ig-representative.com

ryotaohno.com

wlnhcl.com

oasispoolth.com

fo71.com

storyandidentity.com

sayarpro.com

arrow-electronics-corps.net

brasbux.com

nigeriaafricasummit.com

choud.store

medicareopenenrollment.info

amlhcz.com

fdklflkdioerklfdke.store

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/456-138-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/456-145-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/5048-149-0x0000000000600000-0x0000000000629000-memory.dmp	xloader
behavioral2/memory/5048-152-0x0000000000600000-0x0000000000629000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

rcviyqs.exercviyqs.exe

pid process

4416 rcviyqs.exe
456 rcviyqs.exe

pid	process
4416	rcviyqs.exe
456	rcviyqs.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

rcviyqs.exercviyqs.execontrol.exe

description	pid	process	target process
PID 4416 set thread context of 456	4416	rcviyqs.exe	rcviyqs.exe
PID 456 set thread context of 3068	456	rcviyqs.exe	Explorer.EXE
PID 5048 set thread context of 3068	5048	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

rcviyqs.execontrol.exe

pid	process
456	rcviyqs.exe
456	rcviyqs.exe
456	rcviyqs.exe
456	rcviyqs.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe
5048	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3068 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

rcviyqs.execontrol.exe

pid process

456 rcviyqs.exe
456 rcviyqs.exe
456 rcviyqs.exe
5048 control.exe
5048 control.exe

pid	process
3068	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

rcviyqs.execontrol.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	456	rcviyqs.exe
Token: SeDebugPrivilege	5048	control.exe
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE
Token: SeShutdownPrivilege	3068	Explorer.EXE
Token: SeCreatePagefilePrivilege	3068	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

3068 Explorer.EXE
3068 Explorer.EXE

pid	process
3068	Explorer.EXE
3068	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

swiftcopy.exercviyqs.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 4988 wrote to memory of 4416	4988	swiftcopy.exe	rcviyqs.exe
PID 4988 wrote to memory of 4416	4988	swiftcopy.exe	rcviyqs.exe
PID 4988 wrote to memory of 4416	4988	swiftcopy.exe	rcviyqs.exe
PID 4416 wrote to memory of 456	4416	rcviyqs.exe	rcviyqs.exe
PID 4416 wrote to memory of 456	4416	rcviyqs.exe	rcviyqs.exe
PID 4416 wrote to memory of 456	4416	rcviyqs.exe	rcviyqs.exe
PID 4416 wrote to memory of 456	4416	rcviyqs.exe	rcviyqs.exe
PID 4416 wrote to memory of 456	4416	rcviyqs.exe	rcviyqs.exe
PID 4416 wrote to memory of 456	4416	rcviyqs.exe	rcviyqs.exe
PID 3068 wrote to memory of 5048	3068	Explorer.EXE	control.exe
PID 3068 wrote to memory of 5048	3068	Explorer.EXE	control.exe
PID 3068 wrote to memory of 5048	3068	Explorer.EXE	control.exe
PID 5048 wrote to memory of 1840	5048	control.exe	cmd.exe
PID 5048 wrote to memory of 1840	5048	control.exe	cmd.exe
PID 5048 wrote to memory of 1840	5048	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\swiftcopy.exe
"C:\Users\Admin\AppData\Local\Temp\swiftcopy.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4988

C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe C:\Users\Admin\AppData\Local\Temp\zdjjwjv
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4416

C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe C:\Users\Admin\AppData\Local\Temp\zdjjwjv
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe"
3⤵
PID:1840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1ywlrkxvvx812p0hw00x
Filesize
163KB

MD5
4ed69a3c1f8ab690c2a2dca2afc8dded

SHA1
e39266fec1bb13a856a02f63a94ad0cbb5835379

SHA256
5ad0d54e33047f593130a63ba5b4d045b843de968c2ab09b3eab4b648b362901

SHA512
6d8a1f0b90e37f2bac77c07802c78524a26a9ac224f86ae6a06f6feef4b80752ae42eca728a8f0bdeb5a2b108c545f998f31d1ed0bd05176e6f94de88980cb34

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
Filesize
56KB

MD5
ca62620c3ef481629e95d16ed9ae0017

SHA1
4d2d3489edefc06534adcf79baba5b8444a12767

SHA256
071720955930988f96661616b256eff1bda2b181ca5b89638782134fc35c6de6

SHA512
cfd026d7ff3c5f78232de23379158421005e9d24415baf808e11f14b283ebb46e34f12c11694db9f1f77ff7535043b7e9f373a08e1813ea400f5081d66bc2cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
Filesize
56KB

MD5
ca62620c3ef481629e95d16ed9ae0017

SHA1
4d2d3489edefc06534adcf79baba5b8444a12767

SHA256
071720955930988f96661616b256eff1bda2b181ca5b89638782134fc35c6de6

SHA512
cfd026d7ff3c5f78232de23379158421005e9d24415baf808e11f14b283ebb46e34f12c11694db9f1f77ff7535043b7e9f373a08e1813ea400f5081d66bc2cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
Filesize
56KB

MD5
ca62620c3ef481629e95d16ed9ae0017

SHA1
4d2d3489edefc06534adcf79baba5b8444a12767

SHA256
071720955930988f96661616b256eff1bda2b181ca5b89638782134fc35c6de6

SHA512
cfd026d7ff3c5f78232de23379158421005e9d24415baf808e11f14b283ebb46e34f12c11694db9f1f77ff7535043b7e9f373a08e1813ea400f5081d66bc2cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdjjwjv
Filesize
5KB

MD5
f6fed7693ed7d2d12d67639bcc14bc81

SHA1
c102b969911458ab547ff88a2f6bed088306621b

SHA256
60471f688a14618266cc6e77046711aad55d1679fea88170fd9250e1c24b59fc

SHA512
911c596347be043945d2670d7b66bd3d5a3885fe068c8cd19c5f5ed110d942630d91d992147f5fc9482043ab913ffcee29b9a83573dde8330ddb702ef3e50294

Download Submit
memory/456-145-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/456-137-0x0000000000000000-mapping.dmp

Download
memory/456-138-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/456-141-0x0000000001770000-0x0000000001ABA000-memory.dmp

Filesize
3.3MB

Download
memory/456-142-0x00000000012D0000-0x00000000012E1000-memory.dmp

Filesize
68KB

Download
memory/1840-146-0x0000000000000000-mapping.dmp

Download
memory/3068-181-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-171-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-143-0x0000000007C90000-0x0000000007E14000-memory.dmp

Filesize
1.5MB

Download
memory/3068-197-0x0000000002B40000-0x0000000002B50000-memory.dmp

Filesize
64KB

Download
memory/3068-196-0x0000000002B40000-0x0000000002B50000-memory.dmp

Filesize
64KB

Download
memory/3068-195-0x0000000002B40000-0x0000000002B50000-memory.dmp

Filesize
64KB

Download
memory/3068-194-0x0000000002B40000-0x0000000002B50000-memory.dmp

Filesize
64KB

Download
memory/3068-151-0x00000000081A0000-0x0000000008275000-memory.dmp

Filesize
852KB

Download
memory/3068-193-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-153-0x00000000081A0000-0x0000000008275000-memory.dmp

Filesize
852KB

Download
memory/3068-154-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-155-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-156-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-157-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/3068-158-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-159-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-160-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-161-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-162-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-163-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-164-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-165-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-166-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-167-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-168-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-169-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-170-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-192-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-172-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-173-0x0000000002B40000-0x0000000002B50000-memory.dmp

Filesize
64KB

Download
memory/3068-174-0x0000000002B40000-0x0000000002B50000-memory.dmp

Filesize
64KB

Download
memory/3068-175-0x0000000002B40000-0x0000000002B50000-memory.dmp

Filesize
64KB

Download
memory/3068-176-0x0000000002B40000-0x0000000002B50000-memory.dmp

Filesize
64KB

Download
memory/3068-177-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-178-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-179-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-180-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-191-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-182-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-183-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-184-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-186-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-185-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-187-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-188-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-189-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/3068-190-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4416-132-0x0000000000000000-mapping.dmp

Download
memory/5048-144-0x0000000000000000-mapping.dmp

Download
memory/5048-152-0x0000000000600000-0x0000000000629000-memory.dmp

Filesize
164KB

Download
memory/5048-150-0x00000000022D0000-0x0000000002360000-memory.dmp

Filesize
576KB

Download
memory/5048-149-0x0000000000600000-0x0000000000629000-memory.dmp

Filesize
164KB

Download
memory/5048-148-0x0000000002450000-0x000000000279A000-memory.dmp

Filesize
3.3MB

Download
memory/5048-147-0x0000000000350000-0x0000000000377000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads