xloader | 014fdffc1561ee767b1189c5b496f587d16ba7d394ca9d26d2e7d6f8541ebc92

General

Target

c0eb90010d882e33340c40bde08474cb.exe
Size

257KB
MD5

c0eb90010d882e33340c40bde08474cb
SHA1

f76f7e4eff72ed9d5669cef62ecda5b65d051c84
SHA256

014fdffc1561ee767b1189c5b496f587d16ba7d394ca9d26d2e7d6f8541ebc92
SHA512

19cc012358ad74980a8f1e18bcad3718a5fb36559d5bbfe220c534c271cd8f2701cce06416438796b9dbcb97769d4b3467e0e23a13c49bc60e597e0a6ad49e13

Score

10^/10

xloader mxnu loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mxnu

C2

http://www.naplesconciergerealty.com/mxnu/

Decoy

insightmyhome.com

gabriellamaxey.com

029atk.xyz

marshconstructions.com

technichoffghosts.com

blue-ivy-boutique-au.com

1sunsetgroup.com

elfkuhnispb.store

caoliudh.club

verifiedpaypal.net

jellyice-tr.com

gatescres.com

bloomberq.online

crystaltopagent.net

uggs-line.com

ecommerceplatform.xyz

historyofcambridge.com

sattaking-gaziabad.xyz

digisor.com

beachpawsmobilegrooming.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/320-56-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/320-57-0x000000000041D4A0-mapping.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

c0eb90010d882e33340c40bde08474cb.exe

pid process

2032 c0eb90010d882e33340c40bde08474cb.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

c0eb90010d882e33340c40bde08474cb.exe

description pid process target process

PID 2032 set thread context of 320 2032 c0eb90010d882e33340c40bde08474cb.exe c0eb90010d882e33340c40bde08474cb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

c0eb90010d882e33340c40bde08474cb.exe

pid process

320 c0eb90010d882e33340c40bde08474cb.exe

pid	process
2032	c0eb90010d882e33340c40bde08474cb.exe

description	pid	process	target process
PID 2032 set thread context of 320	2032	c0eb90010d882e33340c40bde08474cb.exe	c0eb90010d882e33340c40bde08474cb.exe

pid	process
320	c0eb90010d882e33340c40bde08474cb.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

c0eb90010d882e33340c40bde08474cb.exe

description	pid	process	target process
PID 2032 wrote to memory of 320	2032	c0eb90010d882e33340c40bde08474cb.exe	c0eb90010d882e33340c40bde08474cb.exe
PID 2032 wrote to memory of 320	2032	c0eb90010d882e33340c40bde08474cb.exe	c0eb90010d882e33340c40bde08474cb.exe
PID 2032 wrote to memory of 320	2032	c0eb90010d882e33340c40bde08474cb.exe	c0eb90010d882e33340c40bde08474cb.exe
PID 2032 wrote to memory of 320	2032	c0eb90010d882e33340c40bde08474cb.exe	c0eb90010d882e33340c40bde08474cb.exe
PID 2032 wrote to memory of 320	2032	c0eb90010d882e33340c40bde08474cb.exe	c0eb90010d882e33340c40bde08474cb.exe
PID 2032 wrote to memory of 320	2032	c0eb90010d882e33340c40bde08474cb.exe	c0eb90010d882e33340c40bde08474cb.exe
PID 2032 wrote to memory of 320	2032	c0eb90010d882e33340c40bde08474cb.exe	c0eb90010d882e33340c40bde08474cb.exe

C:\Users\Admin\AppData\Local\Temp\c0eb90010d882e33340c40bde08474cb.exe
"C:\Users\Admin\AppData\Local\Temp\c0eb90010d882e33340c40bde08474cb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\c0eb90010d882e33340c40bde08474cb.exe
"C:\Users\Admin\AppData\Local\Temp\c0eb90010d882e33340c40bde08474cb.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:320

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsyB230.tmp\fgxbpquymg.dll
MD5
0b97cba1e0824c22255acd7317ed649d

SHA1
5c015f2a900554ba0d2303f5da3ebbaa78f7940a

SHA256
1618a682392591c00a2ee82b7eb7f4f082ec34350ad30dbe619b57198688b1e8

SHA512
e14ff3d23a702ff88077155e4c3262abcb20ad4d63d95070ad27046284db1ecaa586cef4a8ab22d1dd7d0361966d24f418d039cc04a52309ab9314f7fa58f123

Download Submit
memory/320-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/320-57-0x000000000041D4A0-mapping.dmp

Download
memory/320-58-0x0000000000890000-0x0000000000B93000-memory.dmp

Filesize
3.0MB

Download
memory/2032-54-0x00000000759B1000-0x00000000759B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing