xloader | 2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67

General

Target

716f61cba6d08cd0c1904bcc827b56a0.exe
Size

207KB
MD5

716f61cba6d08cd0c1904bcc827b56a0
SHA1

357a1acb28174392e191716972537555790ae792
SHA256

2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67
SHA512

6b392de718dca8d95b05f06a466b9e52ad0f757fef81a6237b541563f60cb2238ea5f451fe6ed4ca1edb9ba8af14318ea3c6d6708e456273544ddfdd5328d24e

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.stonescapes1.com/de92/

Decoy

zindaginews.com

tyelevator.com

schustermaninterests.com

algemixdelchef.com

doubscollectivites.com

e-butchery.com

hellbentmask.com

jumbpprivacy.com

teeniestiedye.com

playfulartwork.com

desertvacahs.com

w5470-hed.net

nepalearningpods.com

smoothandsleek.com

thecannaglow.com

torrentkittyla.com

industrytoyou.com

raquelvargas.net

rlc-nc.net

cryptoprises.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4904-117-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

716f61cba6d08cd0c1904bcc827b56a0.exe

pid process

4432 716f61cba6d08cd0c1904bcc827b56a0.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

716f61cba6d08cd0c1904bcc827b56a0.exe

description pid process target process

PID 4432 set thread context of 4904 4432 716f61cba6d08cd0c1904bcc827b56a0.exe 716f61cba6d08cd0c1904bcc827b56a0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

716f61cba6d08cd0c1904bcc827b56a0.exe

pid process

4904 716f61cba6d08cd0c1904bcc827b56a0.exe
4904 716f61cba6d08cd0c1904bcc827b56a0.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

716f61cba6d08cd0c1904bcc827b56a0.exe

pid process

4432 716f61cba6d08cd0c1904bcc827b56a0.exe

pid	process
4432	716f61cba6d08cd0c1904bcc827b56a0.exe

description	pid	process	target process
PID 4432 set thread context of 4904	4432	716f61cba6d08cd0c1904bcc827b56a0.exe	716f61cba6d08cd0c1904bcc827b56a0.exe

pid	process
4904	716f61cba6d08cd0c1904bcc827b56a0.exe
4904	716f61cba6d08cd0c1904bcc827b56a0.exe

pid	process
4432	716f61cba6d08cd0c1904bcc827b56a0.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

716f61cba6d08cd0c1904bcc827b56a0.exe

description	pid	process	target process
PID 4432 wrote to memory of 4904	4432	716f61cba6d08cd0c1904bcc827b56a0.exe	716f61cba6d08cd0c1904bcc827b56a0.exe
PID 4432 wrote to memory of 4904	4432	716f61cba6d08cd0c1904bcc827b56a0.exe	716f61cba6d08cd0c1904bcc827b56a0.exe
PID 4432 wrote to memory of 4904	4432	716f61cba6d08cd0c1904bcc827b56a0.exe	716f61cba6d08cd0c1904bcc827b56a0.exe
PID 4432 wrote to memory of 4904	4432	716f61cba6d08cd0c1904bcc827b56a0.exe	716f61cba6d08cd0c1904bcc827b56a0.exe

C:\Users\Admin\AppData\Local\Temp\716f61cba6d08cd0c1904bcc827b56a0.exe
"C:\Users\Admin\AppData\Local\Temp\716f61cba6d08cd0c1904bcc827b56a0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4432

C:\Users\Admin\AppData\Local\Temp\716f61cba6d08cd0c1904bcc827b56a0.exe
"C:\Users\Admin\AppData\Local\Temp\716f61cba6d08cd0c1904bcc827b56a0.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsb9EB.tmp\shsmack.dll

MD5
754f65f8025460256126f94d880be78e

SHA1
888427853b9b5d919423eaabe8be2fb126a80203

SHA256
4f70280ff2a0811ddcb7fee2893d432e78234f8121f83c8d51f4ad3f0caaa75d

SHA512
3a1079624bc0b56f14e9b991540d9f8e8ef8085d8b133eb340a0320f6db4a44ecbec778be29cf0bf175c9479b1c88dc0d30b8458750983fbe08229c89cbb197a

Download Submit
memory/4432-116-0x0000000002290000-0x0000000002292000-memory.dmp

Filesize
8KB

Download
memory/4904-115-0x000000000041D010-mapping.dmp

Download
memory/4904-117-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4904-118-0x0000000000A20000-0x0000000000D40000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing