xloader | 7647af23ff3154b3cab47d0ad05f1c9ee4779f8bd862ef6a4e19d4b70185c5c3

General

Target

Lanco,pdf.exe
Size

245KB
MD5

d539972067e967998d09d0a2f1b31b52
SHA1

20fce9b0e4e0f86143dfba1259b0293a32d74cbb
SHA256

b36a2901bfafd8723bfddd0388f65b0a46237b063ca33edbf773bb589f929981
SHA512

ffa91ce8a780bf1a8fb9f2dba0d5fc74744c82a600d6890acafeff6610828e6d8da751b34cb2ea46558c9a2387c66415c82c254c6131467546fbbae19b3bcd65

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.buymobilia.com/ugtw/

Decoy

keystohumanconnection.com

kba5imberly.xyz

wanshuila.com

haus2690dsgnbuild.com

sf-exprrss.com

volesvip.com

pointmansoutpost.com

rytfs.com

hosoume.com

momentsbymich.com

foxterrier-vonderfinsterley.com

uviibe.com

chiaraborrello.com

ild.academy

chinchinyap.com

cn-emmy.com

ixhaberler.com

styles28.space

schutz-service.com

ycgcwsp.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1428-64-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1708-72-0x00000000000D0000-0x00000000000F8000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1516 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

Lanco,pdf.exe

pid process

1632 Lanco,pdf.exe

pid	process
1516	cmd.exe

pid	process
1632	Lanco,pdf.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Lanco,pdf.exeLanco,pdf.exerundll32.exe

description	pid	process	target process
PID 1632 set thread context of 1428	1632	Lanco,pdf.exe	Lanco,pdf.exe
PID 1428 set thread context of 1244	1428	Lanco,pdf.exe	Explorer.EXE
PID 1708 set thread context of 1244	1708	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

Lanco,pdf.exerundll32.exe

pid	process
1428	Lanco,pdf.exe
1428	Lanco,pdf.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Lanco,pdf.exeLanco,pdf.exerundll32.exe

pid process

1632 Lanco,pdf.exe
1428 Lanco,pdf.exe
1428 Lanco,pdf.exe
1428 Lanco,pdf.exe
1708 rundll32.exe
1708 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Lanco,pdf.exerundll32.exe

description pid process

Token: SeDebugPrivilege 1428 Lanco,pdf.exe
Token: SeDebugPrivilege 1708 rundll32.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE
1244 Explorer.EXE
1244 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE
1244 Explorer.EXE
1244 Explorer.EXE

pid	process
1244	Explorer.EXE

pid	process
1632	Lanco,pdf.exe
1428	Lanco,pdf.exe
1428	Lanco,pdf.exe
1428	Lanco,pdf.exe
1708	rundll32.exe
1708	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1428	Lanco,pdf.exe
Token: SeDebugPrivilege	1708	rundll32.exe

pid	process
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE

pid	process
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Lanco,pdf.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 1632 wrote to memory of 1428	1632	Lanco,pdf.exe	Lanco,pdf.exe
PID 1632 wrote to memory of 1428	1632	Lanco,pdf.exe	Lanco,pdf.exe
PID 1632 wrote to memory of 1428	1632	Lanco,pdf.exe	Lanco,pdf.exe
PID 1632 wrote to memory of 1428	1632	Lanco,pdf.exe	Lanco,pdf.exe
PID 1632 wrote to memory of 1428	1632	Lanco,pdf.exe	Lanco,pdf.exe
PID 1244 wrote to memory of 1708	1244	Explorer.EXE	rundll32.exe
PID 1244 wrote to memory of 1708	1244	Explorer.EXE	rundll32.exe
PID 1244 wrote to memory of 1708	1244	Explorer.EXE	rundll32.exe
PID 1244 wrote to memory of 1708	1244	Explorer.EXE	rundll32.exe
PID 1244 wrote to memory of 1708	1244	Explorer.EXE	rundll32.exe
PID 1244 wrote to memory of 1708	1244	Explorer.EXE	rundll32.exe
PID 1244 wrote to memory of 1708	1244	Explorer.EXE	rundll32.exe
PID 1708 wrote to memory of 1516	1708	rundll32.exe	cmd.exe
PID 1708 wrote to memory of 1516	1708	rundll32.exe	cmd.exe
PID 1708 wrote to memory of 1516	1708	rundll32.exe	cmd.exe
PID 1708 wrote to memory of 1516	1708	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1428
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"
    3⤵
    - Deletes itself
    PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsn54B7.tmp\b64gt.dll

MD5
c51e82e4d8b71b52311dd3b83ed82da8

SHA1
d30a8cd5a36fe7d59b1ec9209913e2297e588b7c

SHA256
5293ac79c7ae9256c12874bacd71b555250484a139726625ebc414e871616f12

SHA512
45127a9290386396b26f050ed653985651c7c19f281743fc3aa9d0f7b69c72a22a9b5fee09c2862360ef3d1b289a1569babd5b25a0861c271efc7f0e15183c93

Download Submit
memory/1244-67-0x0000000004E20000-0x0000000004FB2000-memory.dmp

Filesize
1.6MB

Download
memory/1244-75-0x0000000004FC0000-0x0000000005137000-memory.dmp

Filesize
1.5MB

Download
memory/1428-66-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/1428-65-0x0000000000730000-0x0000000000A33000-memory.dmp

Filesize
3.0MB

Download
memory/1428-64-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1428-62-0x000000000041D040-mapping.dmp

Download
memory/1516-73-0x0000000000000000-mapping.dmp

Download
memory/1632-63-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/1632-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1708-68-0x0000000000000000-mapping.dmp

Download
memory/1708-70-0x00000000007E0000-0x00000000007EE000-memory.dmp

Filesize
56KB

Download
memory/1708-71-0x0000000002260000-0x0000000002563000-memory.dmp

Filesize
3.0MB

Download
memory/1708-72-0x00000000000D0000-0x00000000000F8000-memory.dmp

Filesize
160KB

Download
memory/1708-74-0x0000000000420000-0x00000000004AF000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads