xloader | f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d

General

Target

f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe
Size

349KB
MD5

6ff3af29fcf1cabca1e7df8a6094e4a3
SHA1

f382d117151ad79fa9ecd42920fe63e105aed461
SHA256

f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d
SHA512

578cc3c53fcbc51b42b18e0cedf898b9540e74a13a075d312e776b42c5c46f5d14db0e81d76f87efc90c3fe0b34a421388c48d573846ae37de88003d6cea3661

Score

10^/10

xloader b2c0 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b2c0

C2

http://www.thesewhitevvalls.com/b2c0/

Decoy

bjyxszd520.xyz

hsvfingerprinting.com

elliotpioneer.com

bf396.com

chinaopedia.com

6233v.com

shopeuphoricapparel.com

loccssol.store

truefictionpictures.com

playstarexch.com

peruviancoffee.store

shobhajoshi.com

philme.net

avito-rules.com

independencehomecenters.com

atp-cayenne.com

invetorsbank.com

sasanos.com

scentfreebnb.com

catfuid.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3136-126-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/3136-127-0x000000000041D4C0-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe

description	pid	process	target process
PID 3488 set thread context of 3136	3488	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4072 schtasks.exe

pid	process
4072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exef8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe

pid	process
3488	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe
3488	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe
3136	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe
3136	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe

description pid process

Token: SeDebugPrivilege 3488 f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe

description	pid	process
Token: SeDebugPrivilege	3488	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe

description	pid	process	target process
PID 3488 wrote to memory of 4072	3488	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe	schtasks.exe
PID 3488 wrote to memory of 4072	3488	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe	schtasks.exe
PID 3488 wrote to memory of 4072	3488	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe	schtasks.exe
PID 3488 wrote to memory of 3136	3488	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe
PID 3488 wrote to memory of 3136	3488	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe
PID 3488 wrote to memory of 3136	3488	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe
PID 3488 wrote to memory of 3136	3488	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe
PID 3488 wrote to memory of 3136	3488	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe
PID 3488 wrote to memory of 3136	3488	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe	f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe

C:\Users\Admin\AppData\Local\Temp\f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe
"C:\Users\Admin\AppData\Local\Temp\f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QmGzsmhXZS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9C8A.tmp"
2⤵
- Creates scheduled task(s)
PID:4072

C:\Users\Admin\AppData\Local\Temp\f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe
"C:\Users\Admin\AppData\Local\Temp\f8b6860b5f79411ce377df615b3e72745e773c9e89347fdf00adea4f8200e51d.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3136-126-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3136-128-0x00000000012D0000-0x00000000015F0000-memory.dmp

Filesize
3.1MB

Download
memory/3136-127-0x000000000041D4C0-mapping.dmp

Download
memory/3488-122-0x0000000007B60000-0x0000000007B67000-memory.dmp

Filesize
28KB

Download
memory/3488-120-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/3488-121-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/3488-115-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/3488-123-0x000000007EBA0000-0x000000007EBA1000-memory.dmp

Filesize
4KB

Download
memory/3488-124-0x0000000007E40000-0x0000000007E8A000-memory.dmp

Filesize
296KB

Download
memory/3488-119-0x00000000055E0000-0x0000000005ADE000-memory.dmp

Filesize
5.0MB

Download
memory/3488-118-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/3488-117-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/4072-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads