xloader | 0c5a22c770faa9a49feb2d8c881d51138f4892dad188e3391d345d0865e8953b

General

Target

SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe
Size

256KB
MD5

169763f8e7731554cf5588290a6bc91e
SHA1

d7ae18ba8e1c5043a152bc29aef950c4b3841c3a
SHA256

0c5a22c770faa9a49feb2d8c881d51138f4892dad188e3391d345d0865e8953b
SHA512

2744e153948acfc48cf968674d43d964784588e6a3088f699b505f58afe2d86feaf9a4ba6365b2979353d1a2561a76c4fe07316ec67838a5b2b85855308ffb3c

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.onyxcomputing.com/u8nw/

Decoy

constructionjadams.com

organicwellnessfarm.com

beautiful.tours

medvows.com

foxparanormal.com

fsmxmc.com

graniterealestategroup.net

qgi1.com

astrologicsolutions.com

rafbar.com

bastiontools.net

emotist.com

stacyleets.com

bloodtypealpha.com

healtybenenfitsplus.com

vavadadoa3.com

chefbenhk.com

dotgz.com

xn--z4qm188e645c.com

ethyi.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1172-64-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe

pid process

1632 SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe

pid	process
1632	SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe

description	pid	process	target process
PID 1632 set thread context of 1172	1632	SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe	SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe

pid process

1172 SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe

pid process

1632 SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe

pid	process
1172	SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe

pid	process
1632	SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe

description	pid	process	target process
PID 1632 wrote to memory of 1172	1632	SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe	SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe
PID 1632 wrote to memory of 1172	1632	SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe	SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe
PID 1632 wrote to memory of 1172	1632	SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe	SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe
PID 1632 wrote to memory of 1172	1632	SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe	SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe
PID 1632 wrote to memory of 1172	1632	SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe	SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Androm.29.7073.26917.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1172

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsc4F49.tmp\o61oo6akr5hl9a.dll
MD5
240c73004229183bda7377e68d714c75

SHA1
952c60daad92a603e0e314c8ba13384fe9bdd8be

SHA256
8be3fbc8b2a2136ac4d7b35d721a5ec6847161a8e6b4137a0c11a8594603c0df

SHA512
4806f90bdbf16a8fdc0934383fda9052dba05ab3f21704131b5f683a74fef04aa723f1dd0638ffbceffd4e2e731f84c8b420d606e935e86be931e72326c90c88

Download Submit
memory/1172-63-0x000000000041D0C0-mapping.dmp

Download
memory/1172-65-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download
memory/1172-64-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1632-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1632-62-0x0000000000600000-0x0000000000602000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads