xloader | 11f56953a80011adac61595a11f0d716a9a24e0fb7e20b95dbd55d0c4b3c0781

General

Target

Ri9RSdOwP2DvMFi.exe
Size

782KB
MD5

93fcca51eeb3f566119693d2f9745926
SHA1

9cb3c035e948b0e1e27f2a8515fed6deb14857a5
SHA256

effde9dee423f050461080a9efc44435f4abd5d772e0a436f84f758b95ff65b2
SHA512

978b52d10a3a00429322c21cb492f7f72a1bbe175d3915b37d01d4ecde9b0b66f29228625c1e5abf71ad3b5110f9021059c5daaa8f7ea25b5fb7e641ffb06d85
SSDEEP

6144:luFJLgGJz99KYyo3wdTPnoJx6DqVY2RvE/KMuKszf7hOgoP2Oncbq3VHOflCbF23:KzfDyvnGmqvs/5YOgoZsHYMaPVUnt

Score

10^/10

xloader b5ne loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

b5ne

Decoy

haridwarweb.com

rltzjd.com

betsvia.com

swiftnestit.com

sndebate.com

intervene-suave.net

frejany.com

findcremationsearcher.info

jchmlt.com

sanenkj.com

donnypoppins.com

pallainfotech.com

dinerbite.com

aj2223.online

4ociousdragon.com

rnpackersandmovers.com

working-mum.com

savewife.com

reissteams.com

visionenterprisesindia.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 5 IoCs

rat

resource	yara_rule
behavioral2/memory/3016-17-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3016-22-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/3016-26-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/444-34-0x0000000000760000-0x0000000000788000-memory.dmp	xloader
behavioral2/memory/444-36-0x0000000000760000-0x0000000000788000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	Ri9RSdOwP2DvMFi.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 228 set thread context of 3016	228	Ri9RSdOwP2DvMFi.exe	106
PID 3016 set thread context of 3352	3016	Ri9RSdOwP2DvMFi.exe	78
PID 3016 set thread context of 3352	3016	Ri9RSdOwP2DvMFi.exe	78
PID 444 set thread context of 3352	444	msiexec.exe	78

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2324	schtasks.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
228	Ri9RSdOwP2DvMFi.exe
228	Ri9RSdOwP2DvMFi.exe
228	Ri9RSdOwP2DvMFi.exe
228	Ri9RSdOwP2DvMFi.exe
228	Ri9RSdOwP2DvMFi.exe
3016	Ri9RSdOwP2DvMFi.exe
3016	Ri9RSdOwP2DvMFi.exe
3016	Ri9RSdOwP2DvMFi.exe
3016	Ri9RSdOwP2DvMFi.exe
3016	Ri9RSdOwP2DvMFi.exe
3016	Ri9RSdOwP2DvMFi.exe
3016	Ri9RSdOwP2DvMFi.exe
3016	Ri9RSdOwP2DvMFi.exe
3016	Ri9RSdOwP2DvMFi.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe
444	msiexec.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
3016	Ri9RSdOwP2DvMFi.exe
3016	Ri9RSdOwP2DvMFi.exe
3016	Ri9RSdOwP2DvMFi.exe
3016	Ri9RSdOwP2DvMFi.exe
444	msiexec.exe
444	msiexec.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	228	Ri9RSdOwP2DvMFi.exe
Token: SeDebugPrivilege	3016	Ri9RSdOwP2DvMFi.exe
Token: SeDebugPrivilege	444	msiexec.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3352	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 2324	228	Ri9RSdOwP2DvMFi.exe	103
PID 228 wrote to memory of 2324	228	Ri9RSdOwP2DvMFi.exe	103
PID 228 wrote to memory of 2324	228	Ri9RSdOwP2DvMFi.exe	103
PID 228 wrote to memory of 100	228	Ri9RSdOwP2DvMFi.exe	105
PID 228 wrote to memory of 100	228	Ri9RSdOwP2DvMFi.exe	105
PID 228 wrote to memory of 100	228	Ri9RSdOwP2DvMFi.exe	105
PID 228 wrote to memory of 3016	228	Ri9RSdOwP2DvMFi.exe	106
PID 228 wrote to memory of 3016	228	Ri9RSdOwP2DvMFi.exe	106
PID 228 wrote to memory of 3016	228	Ri9RSdOwP2DvMFi.exe	106
PID 228 wrote to memory of 3016	228	Ri9RSdOwP2DvMFi.exe	106
PID 228 wrote to memory of 3016	228	Ri9RSdOwP2DvMFi.exe	106
PID 228 wrote to memory of 3016	228	Ri9RSdOwP2DvMFi.exe	106
PID 3352 wrote to memory of 444	3352	Explorer.EXE	107
PID 3352 wrote to memory of 444	3352	Explorer.EXE	107
PID 3352 wrote to memory of 444	3352	Explorer.EXE	107
PID 444 wrote to memory of 1168	444	msiexec.exe	108
PID 444 wrote to memory of 1168	444	msiexec.exe	108
PID 444 wrote to memory of 1168	444	msiexec.exe	108

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Users\Admin\AppData\Local\Temp\Ri9RSdOwP2DvMFi.exe
  "C:\Users\Admin\AppData\Local\Temp\Ri9RSdOwP2DvMFi.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\raWKsgTnHRZckF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3FA4.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2324
- - C:\Users\Admin\AppData\Local\Temp\Ri9RSdOwP2DvMFi.exe
    "C:\Users\Admin\AppData\Local\Temp\Ri9RSdOwP2DvMFi.exe"
    3⤵
    PID:100
- - C:\Users\Admin\AppData\Local\Temp\Ri9RSdOwP2DvMFi.exe
    "C:\Users\Admin\AppData\Local\Temp\Ri9RSdOwP2DvMFi.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Ri9RSdOwP2DvMFi.exe"
    3⤵
    PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/228-19-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/228-1-0x0000000000590000-0x000000000065A000-memory.dmp

Filesize
808KB

Download
memory/228-2-0x0000000005680000-0x0000000005C24000-memory.dmp

Filesize
5.6MB

Download
memory/228-3-0x00000000050D0000-0x0000000005162000-memory.dmp

Filesize
584KB

Download
memory/228-4-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/228-5-0x0000000005050000-0x000000000505A000-memory.dmp

Filesize
40KB

Download
memory/228-6-0x00000000052D0000-0x00000000052EC000-memory.dmp

Filesize
112KB

Download
memory/228-7-0x000000000B870000-0x000000000B90C000-memory.dmp

Filesize
624KB

Download
memory/228-8-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/228-9-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/228-10-0x000000000B910000-0x000000000B976000-memory.dmp

Filesize
408KB

Download
memory/228-11-0x000000000E350000-0x000000000E37E000-memory.dmp

Filesize
184KB

Download
memory/228-0-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/444-34-0x0000000000760000-0x0000000000788000-memory.dmp

Filesize
160KB

Download
memory/444-36-0x0000000000760000-0x0000000000788000-memory.dmp

Filesize
160KB

Download
memory/444-39-0x00000000027F0000-0x000000000287F000-memory.dmp

Filesize
572KB

Download
memory/444-35-0x00000000028C0000-0x0000000002C0A000-memory.dmp

Filesize
3.3MB

Download
memory/444-33-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/444-31-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/444-29-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/3016-20-0x0000000001160000-0x00000000014AA000-memory.dmp

Filesize
3.3MB

Download
memory/3016-27-0x0000000001140000-0x0000000001150000-memory.dmp

Filesize
64KB

Download
memory/3016-26-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3016-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3016-17-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3016-23-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

Filesize
64KB

Download
memory/3352-24-0x0000000006E10000-0x0000000006ECF000-memory.dmp

Filesize
764KB

Download
memory/3352-38-0x0000000006E10000-0x0000000006ECF000-memory.dmp

Filesize
764KB

Download
memory/3352-28-0x00000000081E0000-0x00000000082A8000-memory.dmp

Filesize
800KB

Download
memory/3352-41-0x00000000081E0000-0x00000000082A8000-memory.dmp

Filesize
800KB

Download
memory/3352-42-0x0000000008540000-0x0000000008679000-memory.dmp

Filesize
1.2MB

Download
memory/3352-43-0x0000000008540000-0x0000000008679000-memory.dmp

Filesize
1.2MB

Download
memory/3352-47-0x0000000008540000-0x0000000008679000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads