xloader | 816678f27a605539befc4304ad9d82a8b95a6292180616de67b5861e0cd0a44e

General

Target

Q210203W.exe
Size

220KB
MD5

fa56b6d31bcdbe7a969c432099c28611
SHA1

7ff0f279a8ed6759ea3344f484cd82d174896c20
SHA256

2b9cc84b89000fae34b2808cfbc40c76a0f9f40f02aad848c3789b2fc347ccf0
SHA512

25eeb37a943edd0cb193673644e1f60bebbf26d85951a4802c82bc56dc85dc524ec82c8d725edaf1285edf998fc193613ba8522cb649bf0ba1cc9c8edbf366eb
SSDEEP

6144:4qjIp2Tdl/KdPGf8EMTXZ8YVDcjCCKopU+mQfVYKt:1u2dYRXZ8QHIC+mQr

Score

10^/10

xloader gh6n loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

gh6n

Decoy

cpschoolsschoology.com

thestocksforum.com

pixiewish.com

sopressd.com

muktokontha.com

tiejiabang.net

fdo.technology

kuringnl.com

barbarapastor.com

21stcenturytrading.com

digiwarung.com

canvafynyc.com

forfaitinghouse.com

3704368.com

mymonwero.com

ponpow.com

fringe.golf

heartfeltindonesia.com

defensivedrivercpc.com

allaboutgt.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2148-13-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/2148-17-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/2352-23-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Deletes itself 1 IoCs

pid	Process
2824	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2092	Q210203W.exe
2092	Q210203W.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2092 set thread context of 2148	2092	Q210203W.exe	30
PID 2148 set thread context of 1216	2148	Q210203W.exe	21
PID 2352 set thread context of 1216	2352	help.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2092	Q210203W.exe
2092	Q210203W.exe
2092	Q210203W.exe
2092	Q210203W.exe
2148	Q210203W.exe
2148	Q210203W.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe
2352	help.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2092	Q210203W.exe
2148	Q210203W.exe
2148	Q210203W.exe
2148	Q210203W.exe
2352	help.exe
2352	help.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2148	Q210203W.exe
Token: SeDebugPrivilege	2352	help.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2148	2092	Q210203W.exe	30
PID 2092 wrote to memory of 2148	2092	Q210203W.exe	30
PID 2092 wrote to memory of 2148	2092	Q210203W.exe	30
PID 2092 wrote to memory of 2148	2092	Q210203W.exe	30
PID 2092 wrote to memory of 2148	2092	Q210203W.exe	30
PID 1216 wrote to memory of 2352	1216	Explorer.EXE	31
PID 1216 wrote to memory of 2352	1216	Explorer.EXE	31
PID 1216 wrote to memory of 2352	1216	Explorer.EXE	31
PID 1216 wrote to memory of 2352	1216	Explorer.EXE	31
PID 2352 wrote to memory of 2824	2352	help.exe	32
PID 2352 wrote to memory of 2824	2352	help.exe	32
PID 2352 wrote to memory of 2824	2352	help.exe	32
PID 2352 wrote to memory of 2824	2352	help.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\Q210203W.exe
  "C:\Users\Admin\AppData\Local\Temp\Q210203W.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\Q210203W.exe
    "C:\Users\Admin\AppData\Local\Temp\Q210203W.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Q210203W.exe"
    3⤵
    - Deletes itself
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Isdjek.dll

Filesize
10KB

MD5
736d1bc5cb5ad0af70d6a94b768f2803

SHA1
5cd2f1e890d3f493dc61c05130c8ca2979ee0bb4

SHA256
1bba6e6e13f028e67d529d52e3614b607536f718b5d8e0aa6cd98f1aa15101b7

SHA512
909e33ffdbbe3c6f797e3eea14d5722addbbe3e5c9cb085dc2edbd8d69942de3d6dd58a57f5476a5e255b80b50869a516814b1b9791c388a2fb7749ca246cbff

Download Submit
\Users\Admin\AppData\Local\Temp\nst8DFE.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/1216-18-0x0000000003E70000-0x0000000003F2F000-memory.dmp

Filesize
764KB

Download
memory/1216-26-0x0000000003E70000-0x0000000003F2F000-memory.dmp

Filesize
764KB

Download
memory/2092-12-0x00000000742C0000-0x00000000742C6000-memory.dmp

Filesize
24KB

Download
memory/2092-14-0x00000000742C0000-0x00000000742C6000-memory.dmp

Filesize
24KB

Download
memory/2148-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2148-17-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2352-22-0x0000000000D00000-0x0000000000D06000-memory.dmp

Filesize
24KB

Download
memory/2352-21-0x0000000000D00000-0x0000000000D06000-memory.dmp

Filesize
24KB

Download
memory/2352-23-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing