xloader | 243b8fc6ed8a4be1109fef481d20293405c4dd9614f3f4e78debfaefb2d18137

General

Target

PO-090221.exe
Size

221KB
MD5

ca11f896143acf2168b383b5532ef812
SHA1

fe4cf4a32e0633b9e47869a0850369c7854ec6d7
SHA256

1fa8e3489567519f9ed48d1323d7316118bfd2f5f6434a942202e4ccc64f8fbf
SHA512

c2d103eefae3afc47eec34210b3aa90283c13f9819c328334474caee8e0ea68dd17e6daa623fdb22af824c14083f53acdb37af84d189820b0406d52bfec41ee4
SSDEEP

3072:oBkfJpRXATwMdFCcmbA94/P32S+INSyftupOxoit6HC77zaDrxehjkEXdN9Nt:oqjIeA94HDN8pOOM6HCmDQkIPnt

Score

10^/10

xloader gzcj loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

gzcj

Decoy

localzhops.com

cfsb114.com

sweetiefilms.com

cyclewatts.com

bubblesportsevent.com

halloween-r-us.com

rcdzsm.com

reelatioens.com

uniquegranitebenefits.com

chainlinkdex.com

topcoolhlist.com

ivy-apps.com

shopmajesticqueendom.com

ddiesels.com

ventajuguetessexuales.online

daylight93245.com

heiyingxitong.com

personalfashion.guru

usadrugfree.com

beyondcareersuccess.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1996-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1996-16-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2352-23-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2788 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

PO-090221.exe

pid process

3040 PO-090221.exe
3040 PO-090221.exe

pid	process
2788	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO-090221.exePO-090221.exewlanext.exe

description	pid	process	target process
PID 3040 set thread context of 1996	3040	PO-090221.exe	PO-090221.exe
PID 1996 set thread context of 1244	1996	PO-090221.exe	Explorer.EXE
PID 2352 set thread context of 1244	2352	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

PO-090221.exePO-090221.exewlanext.exe

pid	process
3040	PO-090221.exe
3040	PO-090221.exe
3040	PO-090221.exe
3040	PO-090221.exe
1996	PO-090221.exe
1996	PO-090221.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe
2352	wlanext.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

PO-090221.exePO-090221.exewlanext.exe

pid process

3040 PO-090221.exe
1996 PO-090221.exe
1996 PO-090221.exe
1996 PO-090221.exe
2352 wlanext.exe
2352 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO-090221.exewlanext.exe

description pid process

Token: SeDebugPrivilege 1996 PO-090221.exe
Token: SeDebugPrivilege 2352 wlanext.exe

description	pid	process
Token: SeDebugPrivilege	1996	PO-090221.exe
Token: SeDebugPrivilege	2352	wlanext.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

PO-090221.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 3040 wrote to memory of 1996	3040	PO-090221.exe	PO-090221.exe
PID 3040 wrote to memory of 1996	3040	PO-090221.exe	PO-090221.exe
PID 3040 wrote to memory of 1996	3040	PO-090221.exe	PO-090221.exe
PID 3040 wrote to memory of 1996	3040	PO-090221.exe	PO-090221.exe
PID 3040 wrote to memory of 1996	3040	PO-090221.exe	PO-090221.exe
PID 1244 wrote to memory of 2352	1244	Explorer.EXE	wlanext.exe
PID 1244 wrote to memory of 2352	1244	Explorer.EXE	wlanext.exe
PID 1244 wrote to memory of 2352	1244	Explorer.EXE	wlanext.exe
PID 1244 wrote to memory of 2352	1244	Explorer.EXE	wlanext.exe
PID 2352 wrote to memory of 2788	2352	wlanext.exe	cmd.exe
PID 2352 wrote to memory of 2788	2352	wlanext.exe	cmd.exe
PID 2352 wrote to memory of 2788	2352	wlanext.exe	cmd.exe
PID 2352 wrote to memory of 2788	2352	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\PO-090221.exe
"C:\Users\Admin\AppData\Local\Temp\PO-090221.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\PO-090221.exe
"C:\Users\Admin\AppData\Local\Temp\PO-090221.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO-090221.exe"
3⤵
- Deletes itself
PID:2788

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsoF91F.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\yrcvb.dll
Filesize
11KB

MD5
ce58ee918da61b9ad6d17ea883108b75

SHA1
ba22489f71b94f0593bb02a89668aa293ce4ca8b

SHA256
1175fe7473ab4675f5197a3a5271c095f2a0ad01ee5e55a728c0f208adaeef01

SHA512
fa452aeffcb848f4e62a7f3df2ae10dfdc75bb49e3b80e8af076056ea648b438a98a625d951c4b769cc2ffa85742d150aa45290749779dbdc7005bbacdd0ef7a

Download Submit
memory/1244-17-0x0000000006E10000-0x0000000006FAB000-memory.dmp

Filesize
1.6MB

Download
memory/1244-26-0x0000000006E10000-0x0000000006FAB000-memory.dmp

Filesize
1.6MB

Download
memory/1996-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1996-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2352-20-0x00000000006F0000-0x0000000000706000-memory.dmp

Filesize
88KB

Download
memory/2352-22-0x00000000006F0000-0x0000000000706000-memory.dmp

Filesize
88KB

Download
memory/2352-23-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/3040-12-0x0000000074DD0000-0x0000000074DD6000-memory.dmp

Filesize
24KB

Download
memory/3040-14-0x0000000074DD0000-0x0000000074DD6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads