xloader | ba89ade366c193b814186b75bcadc49c528f0c84a2bf9840b38870bc59835e1b

General

Target

aoo.exe
Size

984KB
MD5

7900dcea134e84a16491a43722518b95
SHA1

4c904c97c6d806a86edebe06f0972a8f8d20d6d9
SHA256

c349c8a20c6576c397a5dff95fb121e7a16dfdd992e08694a4aacf387cf8c3e7
SHA512

099c086a8451d14df7f2fa9af3a953e5121e45206b8e0f4236414bd774db903763845072f80943fc43f269117a79c0363402114f5412402af74cad3b3ec840fe
SSDEEP

12288:iEx2iNB0O7yJ0JTlkSuiTgcuj0AzWxNAmydE7Cagkjc3p3srKEZGYKxpeQxx+qx8:71+kxkFHbJzuOdEGa3jc3p3Ap8djxU

Score

10^/10

xloader vfm2 discovery execution loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

vfm2

Decoy

swedishchess.com

vanlifedubai.com

srespd.com

aquaeyego.com

mipily.com

wolderland-technologiesmy.com

reidandwriteon.com

realtywithgeorge.com

thomasangelop.com

innotecon.com

alternativedata.services

shogohorinouchi.com

fuliba001.xyz

levelprism.com

auditocity.club

opmatix.com

eds.center

sophia-tokimeki.com

htbrasil.com

trueacademia.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/1856-20-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2120-25-0x00000000000C0000-0x00000000000E9000-memory.dmp	xloader

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
772	powershell.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2720-3-0x00000000005E0000-0x00000000005F8000-memory.dmp	net_reactor

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 1856	2720	aoo.exe	35
PID 1856 set thread context of 1192	1856	RegSvcs.exe	21
PID 2120 set thread context of 1192	2120	chkdsk.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chkdsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1140	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2720	aoo.exe
2720	aoo.exe
1856	RegSvcs.exe
1856	RegSvcs.exe
772	powershell.exe
2120	chkdsk.exe
2120	chkdsk.exe
2120	chkdsk.exe
2120	chkdsk.exe
2120	chkdsk.exe
2120	chkdsk.exe
2120	chkdsk.exe
2120	chkdsk.exe
2120	chkdsk.exe
2120	chkdsk.exe
2120	chkdsk.exe
2120	chkdsk.exe
2120	chkdsk.exe
2120	chkdsk.exe
2120	chkdsk.exe
2120	chkdsk.exe
2120	chkdsk.exe
2120	chkdsk.exe
2120	chkdsk.exe
2120	chkdsk.exe
2120	chkdsk.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1856	RegSvcs.exe
1856	RegSvcs.exe
1856	RegSvcs.exe
2120	chkdsk.exe
2120	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	aoo.exe
Token: SeDebugPrivilege	1856	RegSvcs.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2120	chkdsk.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 772	2720	aoo.exe	31
PID 2720 wrote to memory of 772	2720	aoo.exe	31
PID 2720 wrote to memory of 772	2720	aoo.exe	31
PID 2720 wrote to memory of 772	2720	aoo.exe	31
PID 2720 wrote to memory of 1140	2720	aoo.exe	33
PID 2720 wrote to memory of 1140	2720	aoo.exe	33
PID 2720 wrote to memory of 1140	2720	aoo.exe	33
PID 2720 wrote to memory of 1140	2720	aoo.exe	33
PID 2720 wrote to memory of 1856	2720	aoo.exe	35
PID 2720 wrote to memory of 1856	2720	aoo.exe	35
PID 2720 wrote to memory of 1856	2720	aoo.exe	35
PID 2720 wrote to memory of 1856	2720	aoo.exe	35
PID 2720 wrote to memory of 1856	2720	aoo.exe	35
PID 2720 wrote to memory of 1856	2720	aoo.exe	35
PID 2720 wrote to memory of 1856	2720	aoo.exe	35
PID 2720 wrote to memory of 1856	2720	aoo.exe	35
PID 2720 wrote to memory of 1856	2720	aoo.exe	35
PID 2720 wrote to memory of 1856	2720	aoo.exe	35
PID 1192 wrote to memory of 2120	1192	Explorer.EXE	36
PID 1192 wrote to memory of 2120	1192	Explorer.EXE	36
PID 1192 wrote to memory of 2120	1192	Explorer.EXE	36
PID 1192 wrote to memory of 2120	1192	Explorer.EXE	36
PID 2120 wrote to memory of 2116	2120	chkdsk.exe	37
PID 2120 wrote to memory of 2116	2120	chkdsk.exe	37
PID 2120 wrote to memory of 2116	2120	chkdsk.exe	37
PID 2120 wrote to memory of 2116	2120	chkdsk.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\aoo.exe
  "C:\Users\Admin\AppData\Local\Temp\aoo.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OadPdT.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OadPdT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFDFE.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1140
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1856
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFDFE.tmp

Filesize
1KB

MD5
221bc4194e8a26ad00ed6bc4e8ae4946

SHA1
91c97df96a686efd3f3b4c235b375ec1d9594e0c

SHA256
b98f2b1ecfbf12abe9d556efb5e28c58d1414642a761b0962af1f1123b3e58bf

SHA512
f8d2e30286624432d1b670b9e98a451eafbd7666dd7ae87b6beea5f7b2e94f99bc2c0e377bd9e4264284648d7c8c89064f503860220296d13482f5625af02d40

Download Submit
memory/1192-23-0x0000000003B30000-0x0000000003C30000-memory.dmp

Filesize
1024KB

Download
memory/1856-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1856-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1856-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1856-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2120-25-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/2120-24-0x0000000000210000-0x0000000000217000-memory.dmp

Filesize
28KB

Download
memory/2720-4-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

Filesize
4KB

Download
memory/2720-12-0x00000000052C0000-0x0000000005308000-memory.dmp

Filesize
288KB

Download
memory/2720-6-0x0000000005730000-0x00000000057F6000-memory.dmp

Filesize
792KB

Download
memory/2720-5-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2720-0-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

Filesize
4KB

Download
memory/2720-21-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2720-3-0x00000000005E0000-0x00000000005F8000-memory.dmp

Filesize
96KB

Download
memory/2720-2-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2720-1-0x0000000000B60000-0x0000000000C5C000-memory.dmp

Filesize
1008KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads