xloader | 43205d5f8958ebc397086aa525220e381f4b0da942f071f236bdbe21280fe1b8

General

Target

payment.exe
Size

301KB
MD5

c662f5f92a309035df41c2fa8ceec901
SHA1

2555dbb5bf478e472d834d7fee163fa75598eabf
SHA256

43205d5f8958ebc397086aa525220e381f4b0da942f071f236bdbe21280fe1b8
SHA512

8984f03fc2e0849c7e7ade5112158a6375d1b148beeddf35569410f56b1efa92796cac9ec6e94f0e71198fadf6b44cf3e3785eeb75cbd5483d1138d6ed9bc7ff

Score

10^/10

xloader unzn loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

unzn

C2

http://www.davanamays.com/unzn/

Decoy

xiulf.com

highcountrymortar.com

523561.com

marketingagency.tools

ganmovie.net

nationaalcontactpunt.com

sirrbter.com

begizas.xyz

missimi-fashion.com

munixc.info

daas.support

spaceworbc.com

faithtruthresolve.com

gymkub.com

thegrayverse.xyz

artisanmakefurniture.com

029tryy.com

ijuubx.biz

iphone13promax.club

techuniversus.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1640-119-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1640-120-0x000000000041D430-mapping.dmp	xloader
behavioral2/memory/1640-123-0x0000000000550000-0x000000000069A000-memory.dmp	xloader
behavioral2/memory/3964-128-0x0000000000320000-0x0000000000349000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

payment.exe

pid process

2812 payment.exe

pid	process
2812	payment.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

payment.exepayment.exeraserver.exe

description	pid	process	target process
PID 2812 set thread context of 1640	2812	payment.exe	payment.exe
PID 1640 set thread context of 3036	1640	payment.exe	Explorer.EXE
PID 3964 set thread context of 3036	3964	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

payment.exeraserver.exe

pid	process
1640	payment.exe
1640	payment.exe
1640	payment.exe
1640	payment.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe
3964	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3036 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

payment.exeraserver.exe

pid process

1640 payment.exe
1640 payment.exe
1640 payment.exe
3964 raserver.exe
3964 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

payment.exeraserver.exe

description pid process

Token: SeDebugPrivilege 1640 payment.exe
Token: SeDebugPrivilege 3964 raserver.exe

pid	process
3036	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1640	payment.exe
Token: SeDebugPrivilege	3964	raserver.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

payment.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 2812 wrote to memory of 1640	2812	payment.exe	payment.exe
PID 2812 wrote to memory of 1640	2812	payment.exe	payment.exe
PID 2812 wrote to memory of 1640	2812	payment.exe	payment.exe
PID 2812 wrote to memory of 1640	2812	payment.exe	payment.exe
PID 2812 wrote to memory of 1640	2812	payment.exe	payment.exe
PID 2812 wrote to memory of 1640	2812	payment.exe	payment.exe
PID 3036 wrote to memory of 3964	3036	Explorer.EXE	raserver.exe
PID 3036 wrote to memory of 3964	3036	Explorer.EXE	raserver.exe
PID 3036 wrote to memory of 3964	3036	Explorer.EXE	raserver.exe
PID 3964 wrote to memory of 3120	3964	raserver.exe	cmd.exe
PID 3964 wrote to memory of 3120	3964	raserver.exe	cmd.exe
PID 3964 wrote to memory of 3120	3964	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\payment.exe
"C:\Users\Admin\AppData\Local\Temp\payment.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2812

C:\Users\Admin\AppData\Local\Temp\payment.exe
"C:\Users\Admin\AppData\Local\Temp\payment.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\payment.exe"
3⤵
PID:3120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsd985A.tmp\lekf.dll
MD5
7308a90795bd1362707bd1299fcaa16b

SHA1
0a3af093fb809a129f75381f3128e01e6aa83b8a

SHA256
a59f16bf130b8cc3819227b64846d0a909ecd24355143754d9be47576157bf39

SHA512
7937636604fbc34b9d1dbfdbb3bf93cb62318506e67cdff5d4deeb2149046e7f494c69e4dd319ed769009bc1872d67a2380ed7b259bf9276898b4a0862d4c2c4

Download Submit
memory/1640-119-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1640-120-0x000000000041D430-mapping.dmp

Download
memory/1640-121-0x0000000000A60000-0x0000000000D80000-memory.dmp

Filesize
3.1MB

Download
memory/1640-123-0x0000000000550000-0x000000000069A000-memory.dmp

Filesize
1.3MB

Download
memory/3036-131-0x0000000006560000-0x0000000006675000-memory.dmp

Filesize
1.1MB

Download
memory/3036-124-0x0000000006450000-0x000000000655B000-memory.dmp

Filesize
1.0MB

Download
memory/3120-126-0x0000000000000000-mapping.dmp

Download
memory/3964-125-0x0000000000000000-mapping.dmp

Download
memory/3964-127-0x0000000000BD0000-0x0000000000BEF000-memory.dmp

Filesize
124KB

Download
memory/3964-129-0x00000000044C0000-0x00000000047E0000-memory.dmp

Filesize
3.1MB

Download
memory/3964-128-0x0000000000320000-0x0000000000349000-memory.dmp

Filesize
164KB

Download
memory/3964-130-0x0000000004310000-0x00000000043A0000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads