xloader | 1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e

General

Target

1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe
Size

256KB
MD5

f8e9ce19f4c0d0896203a7caf2fc5cd0
SHA1

b009e148764404c040683318e2a451ef61fd949d
SHA256

1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e
SHA512

2b071b94827972e65f0ca010b22d9d5a3b5fb35a77d97bd968aae2aad4b73f072e2ece013b877f441df675fd234795266979d9a45acd29d4141e7b25f011d5b1

Score

10^/10

xloader m0np loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m0np

C2

http://www.devmedicalcentre.com/m0np/

Decoy

gruppovimar.com

seniordatingtv.com

pinpinyouqian.website

retreatreflectreplenish.com

baby-handmade.store

econsupplies.com

helloaustinpodcast.com

europe-lodging.com

ferahanaokulu.com

thehomeinspo.com

rawhoneytnpasumo6.xyz

tyckasei.quest

scissorsandbuffer.com

jatinvestmentsmaldives.com

softandcute.store

afuturemakerspromotions.online

leonsigntech.com

havetheshortscovered.com

cvkf.email

iplyyu.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3612-117-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe

pid process

3388 1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe

pid	process
3388	1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe

description	pid	process	target process
PID 3388 set thread context of 3612	3388	1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe	1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe

pid	process
3612	1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe
3612	1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe

pid process

3388 1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe

pid	process
3388	1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe

description	pid	process	target process
PID 3388 wrote to memory of 3612	3388	1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe	1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe
PID 3388 wrote to memory of 3612	3388	1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe	1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe
PID 3388 wrote to memory of 3612	3388	1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe	1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe
PID 3388 wrote to memory of 3612	3388	1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe	1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe

C:\Users\Admin\AppData\Local\Temp\1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe
"C:\Users\Admin\AppData\Local\Temp\1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3388

C:\Users\Admin\AppData\Local\Temp\1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe
"C:\Users\Admin\AppData\Local\Temp\1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3612

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nssD1E7.tmp\qehsdu.dll
MD5
16f9fe837743898ba9ba9e3d30aa34b6

SHA1
31ac075fee8d161827faada1fdd35869361bcd1a

SHA256
37834fc5f894997545a3dc8d5b9dca86233c864196b5a227e3dda68451d1cc9a

SHA512
86340b6105cabe8c32413a4b08a54ce0819c24c7f7d51e846aa590de43feb5f8ddd9e82054ed2d0b87280fc4c77ea054fbd2818ede3e30728d041b7fdf197c44

Download Submit
memory/3612-116-0x000000000041D450-mapping.dmp

Download
memory/3612-117-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3612-118-0x0000000000A40000-0x0000000000D60000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads