xloader | c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e

General

Target

e0c09b7302a96d737a7573a7938ea389.exe
Size

304KB
MD5

e0c09b7302a96d737a7573a7938ea389
SHA1

2d064fc357be869f8bf7d57f099b5edd1aeaa0a8
SHA256

c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e
SHA512

830c1b59658a9f744f59e39281a0102cbfef538b03f93154b1310dfab017768095d0aec2688ee464f87cff41ca9e13400c3cefde681e1d171ad2c9525abb592e

Score

10^/10

xloader unzn loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

unzn

C2

http://www.davanamays.com/unzn/

Decoy

xiulf.com

highcountrymortar.com

523561.com

marketingagency.tools

ganmovie.net

nationaalcontactpunt.com

sirrbter.com

begizas.xyz

missimi-fashion.com

munixc.info

daas.support

spaceworbc.com

faithtruthresolve.com

gymkub.com

thegrayverse.xyz

artisanmakefurniture.com

029tryy.com

ijuubx.biz

iphone13promax.club

techuniversus.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3912-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3912-117-0x000000000041D430-mapping.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

e0c09b7302a96d737a7573a7938ea389.exe

pid process

2720 e0c09b7302a96d737a7573a7938ea389.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

e0c09b7302a96d737a7573a7938ea389.exe

description pid process target process

PID 2720 set thread context of 3912 2720 e0c09b7302a96d737a7573a7938ea389.exe e0c09b7302a96d737a7573a7938ea389.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e0c09b7302a96d737a7573a7938ea389.exe

pid process

3912 e0c09b7302a96d737a7573a7938ea389.exe
3912 e0c09b7302a96d737a7573a7938ea389.exe

pid	process
2720	e0c09b7302a96d737a7573a7938ea389.exe

description	pid	process	target process
PID 2720 set thread context of 3912	2720	e0c09b7302a96d737a7573a7938ea389.exe	e0c09b7302a96d737a7573a7938ea389.exe

pid	process
3912	e0c09b7302a96d737a7573a7938ea389.exe
3912	e0c09b7302a96d737a7573a7938ea389.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e0c09b7302a96d737a7573a7938ea389.exe

description	pid	process	target process
PID 2720 wrote to memory of 3912	2720	e0c09b7302a96d737a7573a7938ea389.exe	e0c09b7302a96d737a7573a7938ea389.exe
PID 2720 wrote to memory of 3912	2720	e0c09b7302a96d737a7573a7938ea389.exe	e0c09b7302a96d737a7573a7938ea389.exe
PID 2720 wrote to memory of 3912	2720	e0c09b7302a96d737a7573a7938ea389.exe	e0c09b7302a96d737a7573a7938ea389.exe
PID 2720 wrote to memory of 3912	2720	e0c09b7302a96d737a7573a7938ea389.exe	e0c09b7302a96d737a7573a7938ea389.exe
PID 2720 wrote to memory of 3912	2720	e0c09b7302a96d737a7573a7938ea389.exe	e0c09b7302a96d737a7573a7938ea389.exe
PID 2720 wrote to memory of 3912	2720	e0c09b7302a96d737a7573a7938ea389.exe	e0c09b7302a96d737a7573a7938ea389.exe

C:\Users\Admin\AppData\Local\Temp\e0c09b7302a96d737a7573a7938ea389.exe
"C:\Users\Admin\AppData\Local\Temp\e0c09b7302a96d737a7573a7938ea389.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Local\Temp\e0c09b7302a96d737a7573a7938ea389.exe
"C:\Users\Admin\AppData\Local\Temp\e0c09b7302a96d737a7573a7938ea389.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsqC6AD.tmp\ijlcycjncm.dll
MD5
83ae51e0c78e6465e7651edc636dc4f8

SHA1
8783785ba6a0afdeed649363245c4fcddaf27583

SHA256
14140ac568aec8b9e8c6593f4807a3616f3b3080b156967a3c5d275e87a38e89

SHA512
c6a2cd8a363e8d8efd295e1cf77066c91878dfddd13959061ab788e944f7b5c793fbe4ae620d04b2234d828d5a7ad042f43803cff4a54347dd4a101fef561c03

Download Submit
memory/3912-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3912-117-0x000000000041D430-mapping.dmp

Download
memory/3912-118-0x0000000000BC0000-0x0000000000EE0000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing