xloader | 7e9997ea452090062e0512decd987ccd4ad16cc04d8bea777a4c8929b5ba85aa

General

Target

don.exe
Size

207KB
MD5

6ca72f0ceaf0d1f582856ceeff594c1d
SHA1

c174f3350fb589beea7759eade0f5be0d7959d2c
SHA256

7e9997ea452090062e0512decd987ccd4ad16cc04d8bea777a4c8929b5ba85aa
SHA512

3018288f3125203a8d71b20a962ec672e3b256b4ce30b85dbe155e81355570d1803e72b10c2a8c1f0a34a984eb1ec1adfd7db5a2ca873a654564ae654f9e700f

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.montcoimmigrationlawyer.com/uoe8/

Decoy

chalance.design

certifiedlaywernj.com

bsbgraphic.com

caeka.com

zagorafinancial.com

cvingenieriacivil.net

mojilifenoosa.com

bucktheherd.net

sparkmonic.com

catherineandwilson.com

cdefenders.com

intersp.net

santoriniimpressivetours.net

arkansaspaymentrelief.com

tewab.com

bjzjgjg.com

michgoliki.com

oallahplease.com

plaisterpress.com

redyroblx.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3004-117-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/208-124-0x0000000000810000-0x0000000000839000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

don.exe

pid process

908 don.exe

pid	process
908	don.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

don.exedon.execontrol.exe

description	pid	process	target process
PID 908 set thread context of 3004	908	don.exe	don.exe
PID 3004 set thread context of 2644	3004	don.exe	Explorer.EXE
PID 208 set thread context of 2644	208	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

don.execontrol.exe

pid	process
3004	don.exe
3004	don.exe
3004	don.exe
3004	don.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe
208	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2644 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

don.exedon.execontrol.exe

pid process

908 don.exe
3004 don.exe
3004 don.exe
3004 don.exe
208 control.exe
208 control.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

don.execontrol.exe

description pid process

Token: SeDebugPrivilege 3004 don.exe
Token: SeDebugPrivilege 208 control.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2644 Explorer.EXE

pid	process
2644	Explorer.EXE

pid	process
908	don.exe
3004	don.exe
3004	don.exe
3004	don.exe
208	control.exe
208	control.exe

description	pid	process
Token: SeDebugPrivilege	3004	don.exe
Token: SeDebugPrivilege	208	control.exe

pid	process
2644	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

don.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 908 wrote to memory of 3004	908	don.exe	don.exe
PID 908 wrote to memory of 3004	908	don.exe	don.exe
PID 908 wrote to memory of 3004	908	don.exe	don.exe
PID 908 wrote to memory of 3004	908	don.exe	don.exe
PID 2644 wrote to memory of 208	2644	Explorer.EXE	control.exe
PID 2644 wrote to memory of 208	2644	Explorer.EXE	control.exe
PID 2644 wrote to memory of 208	2644	Explorer.EXE	control.exe
PID 208 wrote to memory of 2268	208	control.exe	cmd.exe
PID 208 wrote to memory of 2268	208	control.exe	cmd.exe
PID 208 wrote to memory of 2268	208	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Local\Temp\don.exe
"C:\Users\Admin\AppData\Local\Temp\don.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\don.exe
"C:\Users\Admin\AppData\Local\Temp\don.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\don.exe"
3⤵
PID:2268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsi9B2E.tmp\7b2cj29fa3g7q.dll

MD5
577e21212f3f34fe2aaf20f33eee5754

SHA1
e28e898f2fce097c37ddbff51650f686e22c9ac2

SHA256
21959f75704d50a6b7744b63a002365bee692cd085fd8a0b02b738fb83562301

SHA512
a5d3f69bd5d560b69710bd528ad49fdff4c072d7628938e0f9969044ffd57b0574a7d1fbe117cb4447ed102798b9750bc50e569612384cfe9a810858afec673b

Download Submit
memory/208-125-0x00000000047F0000-0x0000000004B10000-memory.dmp

Filesize
3.1MB

Download
memory/208-126-0x00000000010F0000-0x0000000001180000-memory.dmp

Filesize
576KB

Download
memory/208-124-0x0000000000810000-0x0000000000839000-memory.dmp

Filesize
164KB

Download
memory/208-121-0x0000000000000000-mapping.dmp

Download
memory/208-123-0x00000000013D0000-0x00000000013F0000-memory.dmp

Filesize
128KB

Download
memory/908-116-0x0000000000AD0000-0x0000000000AD2000-memory.dmp

Filesize
8KB

Download
memory/2268-122-0x0000000000000000-mapping.dmp

Download
memory/2644-127-0x0000000006460000-0x000000000658E000-memory.dmp

Filesize
1.2MB

Download
memory/2644-120-0x0000000002C20000-0x0000000002D01000-memory.dmp

Filesize
900KB

Download
memory/3004-117-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3004-118-0x0000000000AF0000-0x0000000000E10000-memory.dmp

Filesize
3.1MB

Download
memory/3004-119-0x0000000000E10000-0x0000000000E21000-memory.dmp

Filesize
68KB

Download
memory/3004-115-0x000000000041D0A0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads