xloader | 6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c

General

Target

0efbf49197257609b692c8579c7c15cd.exe
Size

252KB
MD5

0efbf49197257609b692c8579c7c15cd
SHA1

5390a1eb61e84c9d546178e7c43a810c309f9013
SHA256

6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c
SHA512

823c648b4a3a196d98446ca9c5177cbd8ac0c753e372daf789ca8f6b3848344160b859de9e0a353d252a37b112abe30f8f5e0a28ceae6da61d47928f80c19a1c

Score

10^/10

xloader 9gdg loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

9gdg

C2

http://www.dechocolate.online/9gdg/

Decoy

cao-catos.ca

humanityumbrella.com

heatherflintford.com

paddyjulian.com

venturedart.com

pimpyoursmile.com

shellbacklabs.com

acesteeisupply.com

socotrajeweltours.com

aykutozden.com

corncobmeal.com

lesbiansforever.com

picknock.com

pawspetreiki.com

waikikidesignco.com

lelittnpasumo4.xyz

billing-updating.info

barangdapo.com

gatorfirerescue.com

jmovt.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2012-62-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2012-63-0x000000000041D4A0-mapping.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

0efbf49197257609b692c8579c7c15cd.exe

pid process

1832 0efbf49197257609b692c8579c7c15cd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

0efbf49197257609b692c8579c7c15cd.exe

description pid process target process

PID 1832 set thread context of 2012 1832 0efbf49197257609b692c8579c7c15cd.exe 0efbf49197257609b692c8579c7c15cd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0efbf49197257609b692c8579c7c15cd.exe

pid process

2012 0efbf49197257609b692c8579c7c15cd.exe

pid	process
1832	0efbf49197257609b692c8579c7c15cd.exe

description	pid	process	target process
PID 1832 set thread context of 2012	1832	0efbf49197257609b692c8579c7c15cd.exe	0efbf49197257609b692c8579c7c15cd.exe

pid	process
2012	0efbf49197257609b692c8579c7c15cd.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

0efbf49197257609b692c8579c7c15cd.exe

description	pid	process	target process
PID 1832 wrote to memory of 2012	1832	0efbf49197257609b692c8579c7c15cd.exe	0efbf49197257609b692c8579c7c15cd.exe
PID 1832 wrote to memory of 2012	1832	0efbf49197257609b692c8579c7c15cd.exe	0efbf49197257609b692c8579c7c15cd.exe
PID 1832 wrote to memory of 2012	1832	0efbf49197257609b692c8579c7c15cd.exe	0efbf49197257609b692c8579c7c15cd.exe
PID 1832 wrote to memory of 2012	1832	0efbf49197257609b692c8579c7c15cd.exe	0efbf49197257609b692c8579c7c15cd.exe
PID 1832 wrote to memory of 2012	1832	0efbf49197257609b692c8579c7c15cd.exe	0efbf49197257609b692c8579c7c15cd.exe
PID 1832 wrote to memory of 2012	1832	0efbf49197257609b692c8579c7c15cd.exe	0efbf49197257609b692c8579c7c15cd.exe
PID 1832 wrote to memory of 2012	1832	0efbf49197257609b692c8579c7c15cd.exe	0efbf49197257609b692c8579c7c15cd.exe

C:\Users\Admin\AppData\Local\Temp\0efbf49197257609b692c8579c7c15cd.exe
"C:\Users\Admin\AppData\Local\Temp\0efbf49197257609b692c8579c7c15cd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\0efbf49197257609b692c8579c7c15cd.exe
"C:\Users\Admin\AppData\Local\Temp\0efbf49197257609b692c8579c7c15cd.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2012

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsfE30E.tmp\iynunsqb.dll
MD5
fdb24702ac3d38f586aa0343d71ba1d5

SHA1
662c61e11802ae875d864c6b8002ecfa5d7872f1

SHA256
e2bd42815d0ad61ad0f55056b9e78939a025f8b63c204afbf1ea1abf64adb71c

SHA512
26a86d2a7c7a4ef06e562e8cf2a40fd343b721539ef1808de6e1c6fa75a3bd1e2e3b85542aad76264792e776439e9dd1fe4fc282dee7a32948e2caa03a8e7051

Download Submit
memory/1832-60-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/2012-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2012-63-0x000000000041D4A0-mapping.dmp

Download
memory/2012-64-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing