xloader | b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9

Resubmissions

21-10-2021 12:23

211021-pkk7vsacd8 10

21-10-2021 10:55

211021-mz476sbadn 10

Analysis

max time kernel
121s
max time network
156s
platform
windows7_x64
resource
win7-en-20210920
submitted
21-10-2021 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36e60a2ecd13869a78ad7bc9312681d0.exe
Size

255KB
MD5

36e60a2ecd13869a78ad7bc9312681d0
SHA1

8ef2422980fe2641a0d101fa1649fc24c43c2e97
SHA256

b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9
SHA512

bcdfe6f2b4db1dedac564e4e50de65ef1387e9613a063bc118b9da3f66c08587aebd90923a6706ca22ddd334e7796d7c214b3636ce49c5acf0b533fd2d834a36

Score

10^/10

xloader mxnu loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mxnu

http://www.naplesconciergerealty.com/mxnu/

Decoy

insightmyhome.com

gabriellamaxey.com

029atk.xyz

marshconstructions.com

technichoffghosts.com

blue-ivy-boutique-au.com

1sunsetgroup.com

elfkuhnispb.store

caoliudh.club

verifiedpaypal.net

jellyice-tr.com

gatescres.com

bloomberq.online

crystaltopagent.net

uggs-line.com

ecommerceplatform.xyz

historyofcambridge.com

sattaking-gaziabad.xyz

digisor.com

beachpawsmobilegrooming.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/832-56-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/832-57-0x000000000041D4A0-mapping.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

36e60a2ecd13869a78ad7bc9312681d0.exe

pid process

472 36e60a2ecd13869a78ad7bc9312681d0.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

36e60a2ecd13869a78ad7bc9312681d0.exe

description pid process target process

PID 472 set thread context of 832 472 36e60a2ecd13869a78ad7bc9312681d0.exe 36e60a2ecd13869a78ad7bc9312681d0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

36e60a2ecd13869a78ad7bc9312681d0.exe

pid process

832 36e60a2ecd13869a78ad7bc9312681d0.exe

pid	process
472	36e60a2ecd13869a78ad7bc9312681d0.exe

description	pid	process	target process
PID 472 set thread context of 832	472	36e60a2ecd13869a78ad7bc9312681d0.exe	36e60a2ecd13869a78ad7bc9312681d0.exe

pid	process
832	36e60a2ecd13869a78ad7bc9312681d0.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

36e60a2ecd13869a78ad7bc9312681d0.exe

description	pid	process	target process
PID 472 wrote to memory of 832	472	36e60a2ecd13869a78ad7bc9312681d0.exe	36e60a2ecd13869a78ad7bc9312681d0.exe
PID 472 wrote to memory of 832	472	36e60a2ecd13869a78ad7bc9312681d0.exe	36e60a2ecd13869a78ad7bc9312681d0.exe
PID 472 wrote to memory of 832	472	36e60a2ecd13869a78ad7bc9312681d0.exe	36e60a2ecd13869a78ad7bc9312681d0.exe
PID 472 wrote to memory of 832	472	36e60a2ecd13869a78ad7bc9312681d0.exe	36e60a2ecd13869a78ad7bc9312681d0.exe
PID 472 wrote to memory of 832	472	36e60a2ecd13869a78ad7bc9312681d0.exe	36e60a2ecd13869a78ad7bc9312681d0.exe
PID 472 wrote to memory of 832	472	36e60a2ecd13869a78ad7bc9312681d0.exe	36e60a2ecd13869a78ad7bc9312681d0.exe
PID 472 wrote to memory of 832	472	36e60a2ecd13869a78ad7bc9312681d0.exe	36e60a2ecd13869a78ad7bc9312681d0.exe

C:\Users\Admin\AppData\Local\Temp\36e60a2ecd13869a78ad7bc9312681d0.exe
"C:\Users\Admin\AppData\Local\Temp\36e60a2ecd13869a78ad7bc9312681d0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:472

C:\Users\Admin\AppData\Local\Temp\36e60a2ecd13869a78ad7bc9312681d0.exe
"C:\Users\Admin\AppData\Local\Temp\36e60a2ecd13869a78ad7bc9312681d0.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:832

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy61EF.tmp\dzksq.dll
MD5
52a665d244ddb5192b3494f4ca1bd978

SHA1
07bd3f140917cd3992e9b9ffc120c84af834472d

SHA256
63466cfda81d5da190e8d3198ccff849e7c651f472efd58d277add978a50f131

SHA512
c892de4792dd99d8d9eb3da0e42d80132bb613062cec56faa0429019ca3e8e32804e2d065f72cbc8c960000013e113753bcd15b836e4d19f147f37f2f12e5648

Download Submit
memory/472-54-0x00000000757B1000-0x00000000757B3000-memory.dmp

Filesize
8KB

Download
memory/832-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/832-57-0x000000000041D4A0-mapping.dmp

Download
memory/832-58-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download