xloader | 7647af23ff3154b3cab47d0ad05f1c9ee4779f8bd862ef6a4e19d4b70185c5c3

General

Target

Lanco,pdf.exe
Size

245KB
MD5

d539972067e967998d09d0a2f1b31b52
SHA1

20fce9b0e4e0f86143dfba1259b0293a32d74cbb
SHA256

b36a2901bfafd8723bfddd0388f65b0a46237b063ca33edbf773bb589f929981
SHA512

ffa91ce8a780bf1a8fb9f2dba0d5fc74744c82a600d6890acafeff6610828e6d8da751b34cb2ea46558c9a2387c66415c82c254c6131467546fbbae19b3bcd65

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.buymobilia.com/ugtw/

Decoy

keystohumanconnection.com

kba5imberly.xyz

wanshuila.com

haus2690dsgnbuild.com

sf-exprrss.com

volesvip.com

pointmansoutpost.com

rytfs.com

hosoume.com

momentsbymich.com

foxterrier-vonderfinsterley.com

uviibe.com

chiaraborrello.com

ild.academy

chinchinyap.com

cn-emmy.com

ixhaberler.com

styles28.space

schutz-service.com

ycgcwsp.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2968-117-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/848-124-0x0000000000360000-0x0000000000388000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

Lanco,pdf.exe

pid process

912 Lanco,pdf.exe

pid	process
912	Lanco,pdf.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Lanco,pdf.exeLanco,pdf.exehelp.exe

description	pid	process	target process
PID 912 set thread context of 2968	912	Lanco,pdf.exe	Lanco,pdf.exe
PID 2968 set thread context of 2740	2968	Lanco,pdf.exe	Explorer.EXE
PID 848 set thread context of 2740	848	help.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

Lanco,pdf.exehelp.exe

pid	process
2968	Lanco,pdf.exe
2968	Lanco,pdf.exe
2968	Lanco,pdf.exe
2968	Lanco,pdf.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe
848	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2740 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Lanco,pdf.exeLanco,pdf.exehelp.exe

pid process

912 Lanco,pdf.exe
2968 Lanco,pdf.exe
2968 Lanco,pdf.exe
2968 Lanco,pdf.exe
848 help.exe
848 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Lanco,pdf.exehelp.exe

description pid process

Token: SeDebugPrivilege 2968 Lanco,pdf.exe
Token: SeDebugPrivilege 848 help.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2740 Explorer.EXE

pid	process
2740	Explorer.EXE

pid	process
912	Lanco,pdf.exe
2968	Lanco,pdf.exe
2968	Lanco,pdf.exe
2968	Lanco,pdf.exe
848	help.exe
848	help.exe

description	pid	process
Token: SeDebugPrivilege	2968	Lanco,pdf.exe
Token: SeDebugPrivilege	848	help.exe

pid	process
2740	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Lanco,pdf.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 912 wrote to memory of 2968	912	Lanco,pdf.exe	Lanco,pdf.exe
PID 912 wrote to memory of 2968	912	Lanco,pdf.exe	Lanco,pdf.exe
PID 912 wrote to memory of 2968	912	Lanco,pdf.exe	Lanco,pdf.exe
PID 912 wrote to memory of 2968	912	Lanco,pdf.exe	Lanco,pdf.exe
PID 2740 wrote to memory of 848	2740	Explorer.EXE	help.exe
PID 2740 wrote to memory of 848	2740	Explorer.EXE	help.exe
PID 2740 wrote to memory of 848	2740	Explorer.EXE	help.exe
PID 848 wrote to memory of 684	848	help.exe	cmd.exe
PID 848 wrote to memory of 684	848	help.exe	cmd.exe
PID 848 wrote to memory of 684	848	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"
    3⤵
    PID:684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsa796E.tmp\b64gt.dll

MD5
c51e82e4d8b71b52311dd3b83ed82da8

SHA1
d30a8cd5a36fe7d59b1ec9209913e2297e588b7c

SHA256
5293ac79c7ae9256c12874bacd71b555250484a139726625ebc414e871616f12

SHA512
45127a9290386396b26f050ed653985651c7c19f281743fc3aa9d0f7b69c72a22a9b5fee09c2862360ef3d1b289a1569babd5b25a0861c271efc7f0e15183c93

Download Submit
memory/684-122-0x0000000000000000-mapping.dmp

Download
memory/848-126-0x0000000000AE0000-0x0000000000B6F000-memory.dmp

Filesize
572KB

Download
memory/848-125-0x0000000000C80000-0x0000000000FA0000-memory.dmp

Filesize
3.1MB

Download
memory/848-123-0x00000000010B0000-0x00000000010B7000-memory.dmp

Filesize
28KB

Download
memory/848-124-0x0000000000360000-0x0000000000388000-memory.dmp

Filesize
160KB

Download
memory/848-121-0x0000000000000000-mapping.dmp

Download
memory/912-116-0x0000000002480000-0x0000000002482000-memory.dmp

Filesize
8KB

Download
memory/2740-120-0x00000000056E0000-0x000000000584C000-memory.dmp

Filesize
1.4MB

Download
memory/2740-127-0x0000000005850000-0x000000000599A000-memory.dmp

Filesize
1.3MB

Download
memory/2968-119-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/2968-118-0x0000000000B20000-0x0000000000E40000-memory.dmp

Filesize
3.1MB

Download
memory/2968-117-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2968-115-0x000000000041D040-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads