xloader | 0c9a10a84e9a365e394d33848ee0951c0f1e47faa5e2acabaf3fed27b6020a2c

General

Target

DN_467842234567.exe
Size

253KB
MD5

c16013ea29f9dd1525dcb65c2184784e
SHA1

5afd533f29573050734e428f9f8c9ba08c79546a
SHA256

df05d916a02c09e1dba0df0841f93697e407a334ce8d2371dfe8befd909d8a43
SHA512

87c9e01aac687d2c675cb281592c930ce7bfefebc4eecde4135834bf896265d0238f9afc98726214fc30ef19c2528740aadf12df00e7cb44c469e56d5e9eefca

Score

10^/10

xloader r95e loader rat

Malware Config

Extracted

Family

xloader

Version

2.4

Campaign

r95e

C2

http://www.bofight.store/r95e/

Decoy

mindyourbusinesscoin.com

melandri.club

13011196.com

bespinpoker.com

ohchainpodklo.xyz

paolacapitanio.com

hnczppjs.com

healthygold-carefit.club

drive16pay.art

5foldmastermind.com

especialistasorteios.online

cjcveterotqze.com

originaldigitalspaces.com

21lawsofconfidence.com

uscryptomininglaws.com

nilist.xyz

bergstromgreenholt.icu

dumbasslures.com

companieus.com

2gtfy0.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2164-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2164-117-0x000000000041D3E0-mapping.dmp	xloader
behavioral2/memory/2420-123-0x0000000002D00000-0x0000000002D29000-memory.dmp	xloader
behavioral2/memory/2420-125-0x0000000002D30000-0x0000000002E7A000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

DN_467842234567.exe

pid process

2016 DN_467842234567.exe

pid	process
2016	DN_467842234567.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

DN_467842234567.exeDN_467842234567.execmd.exe

description	pid	process	target process
PID 2016 set thread context of 2164	2016	DN_467842234567.exe	DN_467842234567.exe
PID 2164 set thread context of 3028	2164	DN_467842234567.exe	Explorer.EXE
PID 2420 set thread context of 3028	2420	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

DN_467842234567.execmd.exe

pid	process
2164	DN_467842234567.exe
2164	DN_467842234567.exe
2164	DN_467842234567.exe
2164	DN_467842234567.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe
2420	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3028 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

DN_467842234567.execmd.exe

pid process

2164 DN_467842234567.exe
2164 DN_467842234567.exe
2164 DN_467842234567.exe
2420 cmd.exe
2420 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DN_467842234567.execmd.exe

description pid process

Token: SeDebugPrivilege 2164 DN_467842234567.exe
Token: SeDebugPrivilege 2420 cmd.exe

pid	process
3028	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2164	DN_467842234567.exe
Token: SeDebugPrivilege	2420	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

DN_467842234567.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2016 wrote to memory of 2164	2016	DN_467842234567.exe	DN_467842234567.exe
PID 2016 wrote to memory of 2164	2016	DN_467842234567.exe	DN_467842234567.exe
PID 2016 wrote to memory of 2164	2016	DN_467842234567.exe	DN_467842234567.exe
PID 2016 wrote to memory of 2164	2016	DN_467842234567.exe	DN_467842234567.exe
PID 2016 wrote to memory of 2164	2016	DN_467842234567.exe	DN_467842234567.exe
PID 2016 wrote to memory of 2164	2016	DN_467842234567.exe	DN_467842234567.exe
PID 3028 wrote to memory of 2420	3028	Explorer.EXE	cmd.exe
PID 3028 wrote to memory of 2420	3028	Explorer.EXE	cmd.exe
PID 3028 wrote to memory of 2420	3028	Explorer.EXE	cmd.exe
PID 2420 wrote to memory of 2660	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 2660	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 2660	2420	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Local\Temp\DN_467842234567.exe
"C:\Users\Admin\AppData\Local\Temp\DN_467842234567.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\DN_467842234567.exe
"C:\Users\Admin\AppData\Local\Temp\DN_467842234567.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\DN_467842234567.exe"
3⤵
PID:2660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsv94B5.tmp\rcgwzvp.dll
MD5
6b93d55cd940babd5eab05e0a8a2fea7

SHA1
e2fc9047947bdd96f92b8e1d103fc13fb606d540

SHA256
3eefd1c7daf2b08bc38159f216cd5e79ca1bdaf923ee6993eddbc602e6b84e15

SHA512
070016b91be674ad938cc407d045d1d175acbee61161ec63a994d84e74e72663aa6b1bc3e57843f6bef5c13c26e066e245ccdddc41fa198435ded18caa3a2dd8

Download Submit
memory/2164-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2164-117-0x000000000041D3E0-mapping.dmp

Download
memory/2164-119-0x00000000004C0000-0x000000000056E000-memory.dmp

Filesize
696KB

Download
memory/2164-118-0x0000000000A60000-0x0000000000D80000-memory.dmp

Filesize
3.1MB

Download
memory/2420-121-0x0000000000000000-mapping.dmp

Download
memory/2420-123-0x0000000002D00000-0x0000000002D29000-memory.dmp

Filesize
164KB

Download
memory/2420-122-0x0000000000850000-0x00000000008A9000-memory.dmp

Filesize
356KB

Download
memory/2420-125-0x0000000002D30000-0x0000000002E7A000-memory.dmp

Filesize
1.3MB

Download
memory/2420-126-0x0000000003360000-0x00000000033F0000-memory.dmp

Filesize
576KB

Download
memory/2660-124-0x0000000000000000-mapping.dmp

Download
memory/3028-120-0x0000000006740000-0x0000000006880000-memory.dmp

Filesize
1.2MB

Download
memory/3028-127-0x0000000006880000-0x00000000069FC000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads