xloader | 7647af23ff3154b3cab47d0ad05f1c9ee4779f8bd862ef6a4e19d4b70185c5c3

General

Target

Lanco,pdf.exe
Size

245KB
MD5

d539972067e967998d09d0a2f1b31b52
SHA1

20fce9b0e4e0f86143dfba1259b0293a32d74cbb
SHA256

b36a2901bfafd8723bfddd0388f65b0a46237b063ca33edbf773bb589f929981
SHA512

ffa91ce8a780bf1a8fb9f2dba0d5fc74744c82a600d6890acafeff6610828e6d8da751b34cb2ea46558c9a2387c66415c82c254c6131467546fbbae19b3bcd65

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.buymobilia.com/ugtw/

Decoy

keystohumanconnection.com

kba5imberly.xyz

wanshuila.com

haus2690dsgnbuild.com

sf-exprrss.com

volesvip.com

pointmansoutpost.com

rytfs.com

hosoume.com

momentsbymich.com

foxterrier-vonderfinsterley.com

uviibe.com

chiaraborrello.com

ild.academy

chinchinyap.com

cn-emmy.com

ixhaberler.com

styles28.space

schutz-service.com

ycgcwsp.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/784-63-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1732-70-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1564 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

Lanco,pdf.exe

pid process

1840 Lanco,pdf.exe

pid	process
1564	cmd.exe

pid	process
1840	Lanco,pdf.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Lanco,pdf.exeLanco,pdf.exeNAPSTAT.EXE

description	pid	process	target process
PID 1840 set thread context of 784	1840	Lanco,pdf.exe	Lanco,pdf.exe
PID 784 set thread context of 1200	784	Lanco,pdf.exe	Explorer.EXE
PID 1732 set thread context of 1200	1732	NAPSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

Lanco,pdf.exeNAPSTAT.EXE

pid	process
784	Lanco,pdf.exe
784	Lanco,pdf.exe
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Lanco,pdf.exeLanco,pdf.exeNAPSTAT.EXE

pid process

1840 Lanco,pdf.exe
784 Lanco,pdf.exe
784 Lanco,pdf.exe
784 Lanco,pdf.exe
1732 NAPSTAT.EXE
1732 NAPSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Lanco,pdf.exeNAPSTAT.EXE

description pid process

Token: SeDebugPrivilege 784 Lanco,pdf.exe
Token: SeDebugPrivilege 1732 NAPSTAT.EXE
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE

pid	process
1200	Explorer.EXE

pid	process
1840	Lanco,pdf.exe
784	Lanco,pdf.exe
784	Lanco,pdf.exe
784	Lanco,pdf.exe
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	784	Lanco,pdf.exe
Token: SeDebugPrivilege	1732	NAPSTAT.EXE

pid	process
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE

pid	process
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Lanco,pdf.exeExplorer.EXENAPSTAT.EXE

description	pid	process	target process
PID 1840 wrote to memory of 784	1840	Lanco,pdf.exe	Lanco,pdf.exe
PID 1840 wrote to memory of 784	1840	Lanco,pdf.exe	Lanco,pdf.exe
PID 1840 wrote to memory of 784	1840	Lanco,pdf.exe	Lanco,pdf.exe
PID 1840 wrote to memory of 784	1840	Lanco,pdf.exe	Lanco,pdf.exe
PID 1840 wrote to memory of 784	1840	Lanco,pdf.exe	Lanco,pdf.exe
PID 1200 wrote to memory of 1732	1200	Explorer.EXE	NAPSTAT.EXE
PID 1200 wrote to memory of 1732	1200	Explorer.EXE	NAPSTAT.EXE
PID 1200 wrote to memory of 1732	1200	Explorer.EXE	NAPSTAT.EXE
PID 1200 wrote to memory of 1732	1200	Explorer.EXE	NAPSTAT.EXE
PID 1732 wrote to memory of 1564	1732	NAPSTAT.EXE	cmd.exe
PID 1732 wrote to memory of 1564	1732	NAPSTAT.EXE	cmd.exe
PID 1732 wrote to memory of 1564	1732	NAPSTAT.EXE	cmd.exe
PID 1732 wrote to memory of 1564	1732	NAPSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1840

C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"
3⤵
- Deletes itself
PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsn9F0F.tmp\b64gt.dll
MD5
c51e82e4d8b71b52311dd3b83ed82da8

SHA1
d30a8cd5a36fe7d59b1ec9209913e2297e588b7c

SHA256
5293ac79c7ae9256c12874bacd71b555250484a139726625ebc414e871616f12

SHA512
45127a9290386396b26f050ed653985651c7c19f281743fc3aa9d0f7b69c72a22a9b5fee09c2862360ef3d1b289a1569babd5b25a0861c271efc7f0e15183c93

Download Submit
memory/784-65-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/784-61-0x000000000041D040-mapping.dmp

Download
memory/784-63-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/784-64-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download
memory/1200-73-0x0000000006130000-0x0000000006246000-memory.dmp

Filesize
1.1MB

Download
memory/1200-66-0x0000000004A30000-0x0000000004AFE000-memory.dmp

Filesize
824KB

Download
memory/1564-68-0x0000000000000000-mapping.dmp

Download
memory/1732-67-0x0000000000000000-mapping.dmp

Download
memory/1732-69-0x0000000000C10000-0x0000000000C56000-memory.dmp

Filesize
280KB

Download
memory/1732-70-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1732-71-0x0000000002060000-0x0000000002363000-memory.dmp

Filesize
3.0MB

Download
memory/1732-72-0x00000000008A0000-0x000000000092F000-memory.dmp

Filesize
572KB

Download
memory/1840-59-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1840-62-0x0000000001C70000-0x0000000001C72000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads