xloader | fe63755f7b7c30e933cb3897136a75a7d1903ca044a04ef9bd91d426596f279d

General

Target

1.exe
Size

416KB
MD5

1a3bcd7f400b0d7a37166c1c5af7f886
SHA1

a654cdfc29951ac2e77af3fbbbd7160b5205c8f9
SHA256

fe63755f7b7c30e933cb3897136a75a7d1903ca044a04ef9bd91d426596f279d
SHA512

47974116e9b5b0cc6407fe7c651619b6fef5af7df0190d3b4e5c906a1520ed66ae7e4e1af6e578bf93af9dbd3625845678fd834aea15db9082dad2abbd77f69f

Score

10^/10

xloader iaop loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

iaop

C2

http://www.georgeinnhatherleigh.com/iaop/

Decoy

oosakichi.com

group1beadles.com

navegadorexclusivo.digital

awefca.xyz

strakerwilliams.com

stone-img.com

radialodge.com

tequesquitengo.net

humanegardens.com

rubberyporqjp.xyz

farazkhak.com

gfsexpornvideos.com

stealth-carrier.com

hemtpi.xyz

tygcj.com

agileiance.com

ioan316.com

kitchendesigns.xyz

shannacarolphotography.com

oheytech88.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3816-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3816-117-0x000000000041D4E0-mapping.dmp	xloader
behavioral2/memory/460-124-0x0000000002F30000-0x0000000002F59000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

1.exe

pid process

2820 1.exe

pid	process
2820	1.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1.exe1.exeNETSTAT.EXE

description	pid	process	target process
PID 2820 set thread context of 3816	2820	1.exe	1.exe
PID 3816 set thread context of 2648	3816	1.exe	Explorer.EXE
PID 460 set thread context of 2648	460	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

460 NETSTAT.EXE

pid	process
460	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

1.exeNETSTAT.EXE

pid	process
3816	1.exe
3816	1.exe
3816	1.exe
3816	1.exe
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE
460	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2648 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

1.exeNETSTAT.EXE

pid process

3816 1.exe
3816 1.exe
3816 1.exe
460 NETSTAT.EXE
460 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 3816 1.exe
Token: SeDebugPrivilege 460 NETSTAT.EXE

pid	process
2648	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3816	1.exe
Token: SeDebugPrivilege	460	NETSTAT.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 2820 wrote to memory of 3816	2820	1.exe	1.exe
PID 2820 wrote to memory of 3816	2820	1.exe	1.exe
PID 2820 wrote to memory of 3816	2820	1.exe	1.exe
PID 2820 wrote to memory of 3816	2820	1.exe	1.exe
PID 2820 wrote to memory of 3816	2820	1.exe	1.exe
PID 2820 wrote to memory of 3816	2820	1.exe	1.exe
PID 2648 wrote to memory of 460	2648	Explorer.EXE	NETSTAT.EXE
PID 2648 wrote to memory of 460	2648	Explorer.EXE	NETSTAT.EXE
PID 2648 wrote to memory of 460	2648	Explorer.EXE	NETSTAT.EXE
PID 460 wrote to memory of 376	460	NETSTAT.EXE	cmd.exe
PID 460 wrote to memory of 376	460	NETSTAT.EXE	cmd.exe
PID 460 wrote to memory of 376	460	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2648

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2820

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\1.exe"
3⤵
PID:376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsmA1A1.tmp\wvhivcwcy.dll
MD5
5d0d2589c6c859b43bb0e6c6b88fa767

SHA1
4085e250109fefddf1a35b3fb3fadc66714effda

SHA256
6de76b65e1561c0897a3261b9fe55ac75ef4d1e2456a302a9257dc38dcb81d1e

SHA512
8ef33f865ed19fd6779e7520590bbe1aa864cc5f7e3222f314f6953abcbc7537aaf2397f0b91a720db3e220cea1c3da15ec453ea1d5bb82a7d783bf5853b68af

Download Submit
memory/376-125-0x0000000000000000-mapping.dmp

Download
memory/460-122-0x0000000000000000-mapping.dmp

Download
memory/460-123-0x0000000000E60000-0x0000000000E6B000-memory.dmp

Filesize
44KB

Download
memory/460-124-0x0000000002F30000-0x0000000002F59000-memory.dmp

Filesize
164KB

Download
memory/460-126-0x00000000038A0000-0x0000000003BC0000-memory.dmp

Filesize
3.1MB

Download
memory/460-127-0x0000000003700000-0x0000000003790000-memory.dmp

Filesize
576KB

Download
memory/2648-121-0x0000000005400000-0x0000000005526000-memory.dmp

Filesize
1.1MB

Download
memory/2648-128-0x0000000005530000-0x0000000005640000-memory.dmp

Filesize
1.1MB

Download
memory/3816-120-0x00000000004C0000-0x000000000056E000-memory.dmp

Filesize
696KB

Download
memory/3816-119-0x0000000000A90000-0x0000000000DB0000-memory.dmp

Filesize
3.1MB

Download
memory/3816-117-0x000000000041D4E0-mapping.dmp

Download
memory/3816-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads