xloader | 7e9997ea452090062e0512decd987ccd4ad16cc04d8bea777a4c8929b5ba85aa

General

Target

don.exe
Size

207KB
MD5

6ca72f0ceaf0d1f582856ceeff594c1d
SHA1

c174f3350fb589beea7759eade0f5be0d7959d2c
SHA256

7e9997ea452090062e0512decd987ccd4ad16cc04d8bea777a4c8929b5ba85aa
SHA512

3018288f3125203a8d71b20a962ec672e3b256b4ce30b85dbe155e81355570d1803e72b10c2a8c1f0a34a984eb1ec1adfd7db5a2ca873a654564ae654f9e700f

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.montcoimmigrationlawyer.com/uoe8/

Decoy

chalance.design

certifiedlaywernj.com

bsbgraphic.com

caeka.com

zagorafinancial.com

cvingenieriacivil.net

mojilifenoosa.com

bucktheherd.net

sparkmonic.com

catherineandwilson.com

cdefenders.com

intersp.net

santoriniimpressivetours.net

arkansaspaymentrelief.com

tewab.com

bjzjgjg.com

michgoliki.com

oallahplease.com

plaisterpress.com

redyroblx.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1240-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1636-72-0x00000000000C0000-0x00000000000E9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1532 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

don.exe

pid process

1088 don.exe

pid	process
1532	cmd.exe

pid	process
1088	don.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

don.exedon.execmd.exe

description	pid	process	target process
PID 1088 set thread context of 1240	1088	don.exe	don.exe
PID 1240 set thread context of 1248	1240	don.exe	Explorer.EXE
PID 1240 set thread context of 1248	1240	don.exe	Explorer.EXE
PID 1636 set thread context of 1248	1636	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

don.execmd.exe

pid	process
1240	don.exe
1240	don.exe
1240	don.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe
1636	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

don.exedon.execmd.exe

pid process

1088 don.exe
1240 don.exe
1240 don.exe
1240 don.exe
1240 don.exe
1636 cmd.exe
1636 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

don.execmd.exe

description pid process

Token: SeDebugPrivilege 1240 don.exe
Token: SeDebugPrivilege 1636 cmd.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE

pid	process
1248	Explorer.EXE

pid	process
1088	don.exe
1240	don.exe
1240	don.exe
1240	don.exe
1240	don.exe
1636	cmd.exe
1636	cmd.exe

description	pid	process
Token: SeDebugPrivilege	1240	don.exe
Token: SeDebugPrivilege	1636	cmd.exe

pid	process
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE

pid	process
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

don.exedon.execmd.exe

description	pid	process	target process
PID 1088 wrote to memory of 1240	1088	don.exe	don.exe
PID 1088 wrote to memory of 1240	1088	don.exe	don.exe
PID 1088 wrote to memory of 1240	1088	don.exe	don.exe
PID 1088 wrote to memory of 1240	1088	don.exe	don.exe
PID 1088 wrote to memory of 1240	1088	don.exe	don.exe
PID 1240 wrote to memory of 1636	1240	don.exe	cmd.exe
PID 1240 wrote to memory of 1636	1240	don.exe	cmd.exe
PID 1240 wrote to memory of 1636	1240	don.exe	cmd.exe
PID 1240 wrote to memory of 1636	1240	don.exe	cmd.exe
PID 1636 wrote to memory of 1532	1636	cmd.exe	cmd.exe
PID 1636 wrote to memory of 1532	1636	cmd.exe	cmd.exe
PID 1636 wrote to memory of 1532	1636	cmd.exe	cmd.exe
PID 1636 wrote to memory of 1532	1636	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1248

C:\Users\Admin\AppData\Local\Temp\don.exe
"C:\Users\Admin\AppData\Local\Temp\don.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Local\Temp\don.exe
"C:\Users\Admin\AppData\Local\Temp\don.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\don.exe"
5⤵
- Deletes itself
PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsn2CCD.tmp\7b2cj29fa3g7q.dll

MD5
577e21212f3f34fe2aaf20f33eee5754

SHA1
e28e898f2fce097c37ddbff51650f686e22c9ac2

SHA256
21959f75704d50a6b7744b63a002365bee692cd085fd8a0b02b738fb83562301

SHA512
a5d3f69bd5d560b69710bd528ad49fdff4c072d7628938e0f9969044ffd57b0574a7d1fbe117cb4447ed102798b9750bc50e569612384cfe9a810858afec673b

Download Submit
memory/1088-62-0x0000000001D30000-0x0000000001D32000-memory.dmp

Filesize
8KB

Download
memory/1088-59-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1240-67-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/1240-64-0x0000000000800000-0x0000000000B03000-memory.dmp

Filesize
3.0MB

Download
memory/1240-65-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/1240-61-0x000000000041D0A0-mapping.dmp

Download
memory/1240-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1248-75-0x0000000006AC0000-0x0000000006B93000-memory.dmp

Filesize
844KB

Download
memory/1248-66-0x0000000006EE0000-0x0000000007053000-memory.dmp

Filesize
1.4MB

Download
memory/1248-68-0x0000000004190000-0x000000000423F000-memory.dmp

Filesize
700KB

Download
memory/1532-70-0x0000000000000000-mapping.dmp

Download
memory/1636-69-0x0000000000000000-mapping.dmp

Download
memory/1636-72-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/1636-73-0x0000000002020000-0x0000000002323000-memory.dmp

Filesize
3.0MB

Download
memory/1636-74-0x0000000001D50000-0x0000000001DE0000-memory.dmp

Filesize
576KB

Download
memory/1636-71-0x000000004A800000-0x000000004A84C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads