xloader | 4de35ea5d1f54708e27e4806246a6c9d9b2217cfef24c7b2321a8f6026c5d98c

Resubmissions

21-10-2021 12:23

211021-pkp6tabbdj 10

21-10-2021 10:11

211021-l7x86abaak 10

Analysis

max time kernel
600s
max time network
600s
platform
windows7_x64
resource
win7-de-20211014
submitted
21-10-2021 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

371c76d36256463a54d34e12d6741720.exe
Size

251KB
MD5

371c76d36256463a54d34e12d6741720
SHA1

41843093a5b3a7f5712abd30937004b203851252
SHA256

4de35ea5d1f54708e27e4806246a6c9d9b2217cfef24c7b2321a8f6026c5d98c
SHA512

f2e87fb4628a8b413ced0d92bcedafc4667e8655ac2c13fa15b7f806ddd19daec919003da80f4157f83e5a24b24a4ccac98c2dfd351227b6a549443c8e7c5759

Score

10^/10

xloader m5cw loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m5cw

http://www.art-for-a-cause.com/m5cw/

Decoy

stolpfabriken.com

aromaessentialco.com

rmcclaincpa.com

wuruixin.com

sidhyanticlasses.com

horilka.store

organic-outlaws.com

customsoftwarelogistics.com

cheryltesting.com

thecompacthomegym.com

the22yards.club

quickloanprovidersservices.com

grippyent.com

guard-usa.com

agircredit.com

classificationmetallurgie.com

quizzesandcode.com

catdanos.com

8676789.rest

gotbestshavlngplansforyou.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral3/memory/272-57-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral3/memory/272-58-0x000000000041D4C0-mapping.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

371c76d36256463a54d34e12d6741720.exe

pid process

916 371c76d36256463a54d34e12d6741720.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

371c76d36256463a54d34e12d6741720.exe

description pid process target process

PID 916 set thread context of 272 916 371c76d36256463a54d34e12d6741720.exe 371c76d36256463a54d34e12d6741720.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

371c76d36256463a54d34e12d6741720.exe

pid process

272 371c76d36256463a54d34e12d6741720.exe

pid	process
916	371c76d36256463a54d34e12d6741720.exe

description	pid	process	target process
PID 916 set thread context of 272	916	371c76d36256463a54d34e12d6741720.exe	371c76d36256463a54d34e12d6741720.exe

pid	process
272	371c76d36256463a54d34e12d6741720.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

371c76d36256463a54d34e12d6741720.exetaskeng.exe

description	pid	process	target process
PID 916 wrote to memory of 272	916	371c76d36256463a54d34e12d6741720.exe	371c76d36256463a54d34e12d6741720.exe
PID 916 wrote to memory of 272	916	371c76d36256463a54d34e12d6741720.exe	371c76d36256463a54d34e12d6741720.exe
PID 916 wrote to memory of 272	916	371c76d36256463a54d34e12d6741720.exe	371c76d36256463a54d34e12d6741720.exe
PID 916 wrote to memory of 272	916	371c76d36256463a54d34e12d6741720.exe	371c76d36256463a54d34e12d6741720.exe
PID 916 wrote to memory of 272	916	371c76d36256463a54d34e12d6741720.exe	371c76d36256463a54d34e12d6741720.exe
PID 916 wrote to memory of 272	916	371c76d36256463a54d34e12d6741720.exe	371c76d36256463a54d34e12d6741720.exe
PID 916 wrote to memory of 272	916	371c76d36256463a54d34e12d6741720.exe	371c76d36256463a54d34e12d6741720.exe
PID 1416 wrote to memory of 2040	1416	taskeng.exe	default-browser-agent.exe
PID 1416 wrote to memory of 2040	1416	taskeng.exe	default-browser-agent.exe
PID 1416 wrote to memory of 2040	1416	taskeng.exe	default-browser-agent.exe

C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe
"C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe
"C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:272

C:\Windows\system32\taskeng.exe
taskeng.exe {C00E40DC-7216-478C-A2ED-E5DDAA580091} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1348

C:\Windows\system32\taskeng.exe
taskeng.exe {185B3051-9BD7-44EA-81CF-0D7B642CAB35} S-1-5-21-2955169046-2371869340-1800780948-1000:UKNHJUQT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Program Files\Mozilla Firefox\default-browser-agent.exe
"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
2⤵
PID:2040

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsdF632.tmp\ztqv.dll
MD5
97d84d39bb68b5a29e976b40d7d0a00c

SHA1
cf4c09487fffb9ace9ab6b82f33da0d5a851ef1c

SHA256
5b29c5ee49d9cdde15d88a9e4f8f6b4bba9e2dc4ec65c02d734726fe0f2952c8

SHA512
aab5b8831538f96c00e77f16349065bfaa93e7b25206a6d5fe0871f518f38ae31437f2f9f93f36f488e1869eaf97dd4697a282d726ce9a292cf4276242733546

Download Submit
memory/272-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/272-58-0x000000000041D4C0-mapping.dmp

Download
memory/272-59-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download
memory/916-55-0x0000000075CB1000-0x0000000075CB3000-memory.dmp

Filesize
8KB

Download
memory/2040-60-0x0000000000000000-mapping.dmp

Download