xloader | 7647af23ff3154b3cab47d0ad05f1c9ee4779f8bd862ef6a4e19d4b70185c5c3

General

Target

Lanco,pdf.exe
Size

245KB
MD5

d539972067e967998d09d0a2f1b31b52
SHA1

20fce9b0e4e0f86143dfba1259b0293a32d74cbb
SHA256

b36a2901bfafd8723bfddd0388f65b0a46237b063ca33edbf773bb589f929981
SHA512

ffa91ce8a780bf1a8fb9f2dba0d5fc74744c82a600d6890acafeff6610828e6d8da751b34cb2ea46558c9a2387c66415c82c254c6131467546fbbae19b3bcd65

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.buymobilia.com/ugtw/

Decoy

keystohumanconnection.com

kba5imberly.xyz

wanshuila.com

haus2690dsgnbuild.com

sf-exprrss.com

volesvip.com

pointmansoutpost.com

rytfs.com

hosoume.com

momentsbymich.com

foxterrier-vonderfinsterley.com

uviibe.com

chiaraborrello.com

ild.academy

chinchinyap.com

cn-emmy.com

ixhaberler.com

styles28.space

schutz-service.com

ycgcwsp.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/908-117-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/2336-124-0x00000000031C0000-0x00000000031E8000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

Lanco,pdf.exe

pid process

3944 Lanco,pdf.exe

pid	process
3944	Lanco,pdf.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Lanco,pdf.exeLanco,pdf.exemsdt.exe

description	pid	process	target process
PID 3944 set thread context of 908	3944	Lanco,pdf.exe	Lanco,pdf.exe
PID 908 set thread context of 2492	908	Lanco,pdf.exe	Explorer.EXE
PID 2336 set thread context of 2492	2336	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

Lanco,pdf.exemsdt.exe

pid	process
908	Lanco,pdf.exe
908	Lanco,pdf.exe
908	Lanco,pdf.exe
908	Lanco,pdf.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe
2336	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2492 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Lanco,pdf.exeLanco,pdf.exemsdt.exe

pid process

3944 Lanco,pdf.exe
908 Lanco,pdf.exe
908 Lanco,pdf.exe
908 Lanco,pdf.exe
2336 msdt.exe
2336 msdt.exe

pid	process
2492	Explorer.EXE

pid	process
3944	Lanco,pdf.exe
908	Lanco,pdf.exe
908	Lanco,pdf.exe
908	Lanco,pdf.exe
2336	msdt.exe
2336	msdt.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Lanco,pdf.exeExplorer.EXEmsdt.exe

description	pid	process
Token: SeDebugPrivilege	908	Lanco,pdf.exe
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeShutdownPrivilege	2492	Explorer.EXE
Token: SeCreatePagefilePrivilege	2492	Explorer.EXE
Token: SeDebugPrivilege	2336	msdt.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2492 Explorer.EXE

pid	process
2492	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Lanco,pdf.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 3944 wrote to memory of 908	3944	Lanco,pdf.exe	Lanco,pdf.exe
PID 3944 wrote to memory of 908	3944	Lanco,pdf.exe	Lanco,pdf.exe
PID 3944 wrote to memory of 908	3944	Lanco,pdf.exe	Lanco,pdf.exe
PID 3944 wrote to memory of 908	3944	Lanco,pdf.exe	Lanco,pdf.exe
PID 2492 wrote to memory of 2336	2492	Explorer.EXE	msdt.exe
PID 2492 wrote to memory of 2336	2492	Explorer.EXE	msdt.exe
PID 2492 wrote to memory of 2336	2492	Explorer.EXE	msdt.exe
PID 2336 wrote to memory of 2948	2336	msdt.exe	cmd.exe
PID 2336 wrote to memory of 2948	2336	msdt.exe	cmd.exe
PID 2336 wrote to memory of 2948	2336	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2492

C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1808

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1824

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1836

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1932

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2064

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1568

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2056

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2184

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2248

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"
3⤵
PID:2948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsu538.tmp\b64gt.dll
MD5
c51e82e4d8b71b52311dd3b83ed82da8

SHA1
d30a8cd5a36fe7d59b1ec9209913e2297e588b7c

SHA256
5293ac79c7ae9256c12874bacd71b555250484a139726625ebc414e871616f12

SHA512
45127a9290386396b26f050ed653985651c7c19f281743fc3aa9d0f7b69c72a22a9b5fee09c2862360ef3d1b289a1569babd5b25a0861c271efc7f0e15183c93

Download Submit
memory/908-119-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/908-115-0x000000000041D040-mapping.dmp

Download
memory/908-117-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/908-118-0x0000000000BB0000-0x0000000000ED0000-memory.dmp

Filesize
3.1MB

Download
memory/2336-124-0x00000000031C0000-0x00000000031E8000-memory.dmp

Filesize
160KB

Download
memory/2336-121-0x0000000000000000-mapping.dmp

Download
memory/2336-123-0x0000000001020000-0x0000000001193000-memory.dmp

Filesize
1.4MB

Download
memory/2336-125-0x00000000049B0000-0x0000000004CD0000-memory.dmp

Filesize
3.1MB

Download
memory/2336-126-0x0000000004D60000-0x0000000004DEF000-memory.dmp

Filesize
572KB

Download
memory/2492-120-0x00000000058D0000-0x00000000059CD000-memory.dmp

Filesize
1012KB

Download
memory/2492-127-0x00000000033A0000-0x000000000347F000-memory.dmp

Filesize
892KB

Download
memory/2948-122-0x0000000000000000-mapping.dmp

Download
memory/3944-116-0x0000000000AC0000-0x0000000000AC2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads