xloader | 99e122686461defed546b28e1b3461a92cc5a3e0fe46cac917f5e130d5941f1f

General

Target

Statement 12-01-2021.com.exe
Size

552KB
MD5

d84165c69252af24ac6a92da452b4eb2
SHA1

5ca05c20d6240e1ab18c4204cfe3a8d85b5fede4
SHA256

99e122686461defed546b28e1b3461a92cc5a3e0fe46cac917f5e130d5941f1f
SHA512

ada97e517e7678ad971c73395d282d84c1b35493f7cd012ac226a08549757ec756d147ccc404620cd655804c24d1ed5f8e68390478fc3a5b6f134d326c78b3f5

Score

10^/10

xloader unzn loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

unzn

C2

http://www.davanamays.com/unzn/

Decoy

xiulf.com

highcountrymortar.com

523561.com

marketingagency.tools

ganmovie.net

nationaalcontactpunt.com

sirrbter.com

begizas.xyz

missimi-fashion.com

munixc.info

daas.support

spaceworbc.com

faithtruthresolve.com

gymkub.com

thegrayverse.xyz

artisanmakefurniture.com

029tryy.com

ijuubx.biz

iphone13promax.club

techuniversus.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4100-119-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4100-120-0x000000000041D430-mapping.dmp	xloader
behavioral2/memory/4100-125-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3988-130-0x0000000000740000-0x0000000000769000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

Statement 12-01-2021.com.exe

pid process

3620 Statement 12-01-2021.com.exe

pid	process
3620	Statement 12-01-2021.com.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Statement 12-01-2021.com.exeStatement 12-01-2021.com.execmd.exe

description	pid	process	target process
PID 3620 set thread context of 4100	3620	Statement 12-01-2021.com.exe	Statement 12-01-2021.com.exe
PID 4100 set thread context of 2716	4100	Statement 12-01-2021.com.exe	Explorer.EXE
PID 4100 set thread context of 2716	4100	Statement 12-01-2021.com.exe	Explorer.EXE
PID 3988 set thread context of 2716	3988	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

Statement 12-01-2021.com.execmd.exe

pid	process
4100	Statement 12-01-2021.com.exe
4100	Statement 12-01-2021.com.exe
4100	Statement 12-01-2021.com.exe
4100	Statement 12-01-2021.com.exe
4100	Statement 12-01-2021.com.exe
4100	Statement 12-01-2021.com.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe
3988	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2716 Explorer.EXE

pid	process
2716	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Statement 12-01-2021.com.execmd.exe

pid	process
4100	Statement 12-01-2021.com.exe
4100	Statement 12-01-2021.com.exe
4100	Statement 12-01-2021.com.exe
4100	Statement 12-01-2021.com.exe
3988	cmd.exe
3988	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Statement 12-01-2021.com.execmd.exe

description pid process

Token: SeDebugPrivilege 4100 Statement 12-01-2021.com.exe
Token: SeDebugPrivilege 3988 cmd.exe

description	pid	process
Token: SeDebugPrivilege	4100	Statement 12-01-2021.com.exe
Token: SeDebugPrivilege	3988	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Statement 12-01-2021.com.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3620 wrote to memory of 4100	3620	Statement 12-01-2021.com.exe	Statement 12-01-2021.com.exe
PID 3620 wrote to memory of 4100	3620	Statement 12-01-2021.com.exe	Statement 12-01-2021.com.exe
PID 3620 wrote to memory of 4100	3620	Statement 12-01-2021.com.exe	Statement 12-01-2021.com.exe
PID 3620 wrote to memory of 4100	3620	Statement 12-01-2021.com.exe	Statement 12-01-2021.com.exe
PID 3620 wrote to memory of 4100	3620	Statement 12-01-2021.com.exe	Statement 12-01-2021.com.exe
PID 3620 wrote to memory of 4100	3620	Statement 12-01-2021.com.exe	Statement 12-01-2021.com.exe
PID 2716 wrote to memory of 3988	2716	Explorer.EXE	cmd.exe
PID 2716 wrote to memory of 3988	2716	Explorer.EXE	cmd.exe
PID 2716 wrote to memory of 3988	2716	Explorer.EXE	cmd.exe
PID 3988 wrote to memory of 4224	3988	cmd.exe	cmd.exe
PID 3988 wrote to memory of 4224	3988	cmd.exe	cmd.exe
PID 3988 wrote to memory of 4224	3988	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Local\Temp\Statement 12-01-2021.com.exe
"C:\Users\Admin\AppData\Local\Temp\Statement 12-01-2021.com.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3620

C:\Users\Admin\AppData\Local\Temp\Statement 12-01-2021.com.exe
"C:\Users\Admin\AppData\Local\Temp\Statement 12-01-2021.com.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Statement 12-01-2021.com.exe"
3⤵
PID:4224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nstA606.tmp\flfxltt.dll
MD5
41986140e388b8d37885dce52f32306f

SHA1
1e89e16a2f2d68f6d5af6519ce0e61d28c1f7c26

SHA256
3d63725dd035a901cadb74b2f0a6942f91462bd79b72ccc2d8196a5e72885748

SHA512
e0d2a09e92c4805b99864703df41bd7f71a1c40d0ad8b209e679b6029ee75a7a80d11472ffaf63d2ce3c8f353a515c56321f14cb17b36b6be431a9173f692971

Download Submit
memory/2716-134-0x0000000005020000-0x00000000051A1000-memory.dmp

Filesize
1.5MB

Download
memory/2716-124-0x0000000004EA0000-0x0000000005013000-memory.dmp

Filesize
1.4MB

Download
memory/2716-127-0x0000000002510000-0x00000000025F2000-memory.dmp

Filesize
904KB

Download
memory/3988-128-0x0000000000000000-mapping.dmp

Download
memory/3988-133-0x0000000000ED0000-0x0000000000F60000-memory.dmp

Filesize
576KB

Download
memory/3988-132-0x0000000000FE0000-0x0000000001300000-memory.dmp

Filesize
3.1MB

Download
memory/3988-129-0x0000000001360000-0x00000000013B9000-memory.dmp

Filesize
356KB

Download
memory/3988-130-0x0000000000740000-0x0000000000769000-memory.dmp

Filesize
164KB

Download
memory/4100-126-0x0000000002770000-0x0000000002781000-memory.dmp

Filesize
68KB

Download
memory/4100-125-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4100-122-0x0000000000A00000-0x0000000000D20000-memory.dmp

Filesize
3.1MB

Download
memory/4100-123-0x00000000009E0000-0x00000000009F1000-memory.dmp

Filesize
68KB

Download
memory/4100-120-0x000000000041D430-mapping.dmp

Download
memory/4100-119-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4224-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads