xloader | 1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24

General

Target

1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe
Size

253KB
MD5

9d38faec3253e9ce395c8970d03d8180
SHA1

53128b83b922c39ed32065c9d8baae2c13059719
SHA256

1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24
SHA512

0c883d98ff5f255f3c4cdc1664f726606e44280e867dd727caa19cd6aa3aee849c4dc5d9555b118310f2b648a2c217d30d297005648c61edd40969e21dd2271a

Score

10^/10

xloader 9gdg loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

9gdg

C2

http://www.dechocolate.online/9gdg/

Decoy

cao-catos.ca

humanityumbrella.com

heatherflintford.com

paddyjulian.com

venturedart.com

pimpyoursmile.com

shellbacklabs.com

acesteeisupply.com

socotrajeweltours.com

aykutozden.com

corncobmeal.com

lesbiansforever.com

picknock.com

pawspetreiki.com

waikikidesignco.com

lelittnpasumo4.xyz

billing-updating.info

barangdapo.com

gatorfirerescue.com

jmovt.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/900-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe

pid process

740 1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe

pid	process
740	1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe

description	pid	process	target process
PID 740 set thread context of 900	740	1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe	1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe

pid	process
900	1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe
900	1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe

pid process

740 1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe

pid	process
740	1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe

description	pid	process	target process
PID 740 wrote to memory of 900	740	1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe	1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe
PID 740 wrote to memory of 900	740	1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe	1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe
PID 740 wrote to memory of 900	740	1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe	1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe
PID 740 wrote to memory of 900	740	1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe	1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe

C:\Users\Admin\AppData\Local\Temp\1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe
"C:\Users\Admin\AppData\Local\Temp\1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe
"C:\Users\Admin\AppData\Local\Temp\1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:900

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsr5BB8.tmp\chav.dll
MD5
03cae9032f6d2d44d8ecd93c87f1313f

SHA1
fe8f16836750db7d7fcb42d1d0ea77d55d145832

SHA256
ba8dc1fbfac80564485d83433578839c4ffe432e4ec3e81182fb7eadcc54c6b8

SHA512
5871980c59e457f47e47c86232640b2211c89bc6d3a9da7f89bf73f8f09fc6a8a48c9b88412c84367d7162349103192107ec24af637cd96227edd0db320fdc67

Download Submit
memory/900-115-0x000000000041D4A0-mapping.dmp

Download
memory/900-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/900-117-0x0000000000A80000-0x0000000000DA0000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads