xloader | 43205d5f8958ebc397086aa525220e381f4b0da942f071f236bdbe21280fe1b8

General

Target

payment.exe
Size

301KB
MD5

c662f5f92a309035df41c2fa8ceec901
SHA1

2555dbb5bf478e472d834d7fee163fa75598eabf
SHA256

43205d5f8958ebc397086aa525220e381f4b0da942f071f236bdbe21280fe1b8
SHA512

8984f03fc2e0849c7e7ade5112158a6375d1b148beeddf35569410f56b1efa92796cac9ec6e94f0e71198fadf6b44cf3e3785eeb75cbd5483d1138d6ed9bc7ff

Score

10^/10

xloader unzn loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

unzn

C2

http://www.davanamays.com/unzn/

Decoy

xiulf.com

highcountrymortar.com

523561.com

marketingagency.tools

ganmovie.net

nationaalcontactpunt.com

sirrbter.com

begizas.xyz

missimi-fashion.com

munixc.info

daas.support

spaceworbc.com

faithtruthresolve.com

gymkub.com

thegrayverse.xyz

artisanmakefurniture.com

029tryy.com

ijuubx.biz

iphone13promax.club

techuniversus.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3780-119-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3780-120-0x000000000041D430-mapping.dmp	xloader
behavioral2/memory/2572-130-0x0000000000E80000-0x0000000000EA9000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

payment.exe

pid process

2624 payment.exe

pid	process
2624	payment.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

payment.exepayment.exemsiexec.exe

description	pid	process	target process
PID 2624 set thread context of 3780	2624	payment.exe	payment.exe
PID 3780 set thread context of 3056	3780	payment.exe	Explorer.EXE
PID 2572 set thread context of 3056	2572	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

payment.exemsiexec.exe

pid	process
3780	payment.exe
3780	payment.exe
3780	payment.exe
3780	payment.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe
2572	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3056 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

payment.exemsiexec.exe

pid process

3780 payment.exe
3780 payment.exe
3780 payment.exe
2572 msiexec.exe
2572 msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

payment.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 3780 payment.exe
Token: SeDebugPrivilege 2572 msiexec.exe

pid	process
3056	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3780	payment.exe
Token: SeDebugPrivilege	2572	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

payment.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 2624 wrote to memory of 3780	2624	payment.exe	payment.exe
PID 2624 wrote to memory of 3780	2624	payment.exe	payment.exe
PID 2624 wrote to memory of 3780	2624	payment.exe	payment.exe
PID 2624 wrote to memory of 3780	2624	payment.exe	payment.exe
PID 2624 wrote to memory of 3780	2624	payment.exe	payment.exe
PID 2624 wrote to memory of 3780	2624	payment.exe	payment.exe
PID 3056 wrote to memory of 2572	3056	Explorer.EXE	msiexec.exe
PID 3056 wrote to memory of 2572	3056	Explorer.EXE	msiexec.exe
PID 3056 wrote to memory of 2572	3056	Explorer.EXE	msiexec.exe
PID 2572 wrote to memory of 3872	2572	msiexec.exe	cmd.exe
PID 2572 wrote to memory of 3872	2572	msiexec.exe	cmd.exe
PID 2572 wrote to memory of 3872	2572	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Local\Temp\payment.exe
"C:\Users\Admin\AppData\Local\Temp\payment.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2624

C:\Users\Admin\AppData\Local\Temp\payment.exe
"C:\Users\Admin\AppData\Local\Temp\payment.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\payment.exe"
3⤵
PID:3872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsuC1DB.tmp\lekf.dll
MD5
7308a90795bd1362707bd1299fcaa16b

SHA1
0a3af093fb809a129f75381f3128e01e6aa83b8a

SHA256
a59f16bf130b8cc3819227b64846d0a909ecd24355143754d9be47576157bf39

SHA512
7937636604fbc34b9d1dbfdbb3bf93cb62318506e67cdff5d4deeb2149046e7f494c69e4dd319ed769009bc1872d67a2380ed7b259bf9276898b4a0862d4c2c4

Download Submit
memory/2572-128-0x0000000001230000-0x0000000001242000-memory.dmp

Filesize
72KB

Download
memory/2572-130-0x0000000000E80000-0x0000000000EA9000-memory.dmp

Filesize
164KB

Download
memory/2572-132-0x0000000000F10000-0x000000000105A000-memory.dmp

Filesize
1.3MB

Download
memory/2572-129-0x0000000004650000-0x0000000004970000-memory.dmp

Filesize
3.1MB

Download
memory/2572-127-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2572-125-0x0000000000000000-mapping.dmp

Download
memory/2572-126-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/3056-124-0x0000000004DE0000-0x0000000004F55000-memory.dmp

Filesize
1.5MB

Download
memory/3056-133-0x00000000025B0000-0x0000000002664000-memory.dmp

Filesize
720KB

Download
memory/3780-119-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3780-123-0x0000000000EA0000-0x0000000000EB1000-memory.dmp

Filesize
68KB

Download
memory/3780-120-0x000000000041D430-mapping.dmp

Download
memory/3780-121-0x00000000009E0000-0x0000000000D00000-memory.dmp

Filesize
3.1MB

Download
memory/3872-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads