xloader | 5da3ef49a658c41da32f3258e3124c24e9641496ea1c2443d40c680a9f7b0e8c

General

Target

Swift Copy_44000.exe
Size

320KB
MD5

03d853072e1cab50b55cce6883e5e72e
SHA1

a3d35ebdb90c950db690d900c57b804cb4874b4e
SHA256

5da3ef49a658c41da32f3258e3124c24e9641496ea1c2443d40c680a9f7b0e8c
SHA512

0229de62952ebc975333eb6ec25e9d47fd7f658e44661d198d17a8b6b833291b42f4f08e7ec41e574dd2dba8d58da54c0c0375e1d764bd26fe84fc3aa70d8116

Score

10^/10

xloader e8ia loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

e8ia

C2

http://www.helpfromjames.com/e8ia/

Decoy

le-hameau-enchanteur.com

quantumsystem-au.club

engravedeeply.com

yesrecompensas.lat

cavallitowerofficials.com

800seaspray.com

skifun-jetski.com

thouartafoot.com

nft2dollar.com

petrestore.online

cjcutthecord2.com

tippimccullough.com

gadget198.xyz

djmiriam.com

bitbasepay.com

cukierniawz.com

mcclureic.xyz

inthekitchenshakinandbakin.com

busy-clicks.com

melaniemorris.online

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/572-57-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/572-58-0x000000000041D4D0-mapping.dmp	xloader
behavioral1/memory/572-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/304-68-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1780 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

Swift Copy_44000.exe

pid process

1408 Swift Copy_44000.exe

pid	process
1780	cmd.exe

pid	process
1408	Swift Copy_44000.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Swift Copy_44000.exeSwift Copy_44000.exeNETSTAT.EXE

description	pid	process	target process
PID 1408 set thread context of 572	1408	Swift Copy_44000.exe	Swift Copy_44000.exe
PID 572 set thread context of 1208	572	Swift Copy_44000.exe	Explorer.EXE
PID 572 set thread context of 1208	572	Swift Copy_44000.exe	Explorer.EXE
PID 304 set thread context of 1208	304	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

304 NETSTAT.EXE

pid	process
304	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

Swift Copy_44000.exeNETSTAT.EXE

pid	process
572	Swift Copy_44000.exe
572	Swift Copy_44000.exe
572	Swift Copy_44000.exe
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE
304	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Swift Copy_44000.exeNETSTAT.EXE

pid process

572 Swift Copy_44000.exe
572 Swift Copy_44000.exe
572 Swift Copy_44000.exe
572 Swift Copy_44000.exe
304 NETSTAT.EXE
304 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Swift Copy_44000.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 572 Swift Copy_44000.exe
Token: SeDebugPrivilege 304 NETSTAT.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE

pid	process
1208	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	572	Swift Copy_44000.exe
Token: SeDebugPrivilege	304	NETSTAT.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Swift Copy_44000.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1408 wrote to memory of 572	1408	Swift Copy_44000.exe	Swift Copy_44000.exe
PID 1408 wrote to memory of 572	1408	Swift Copy_44000.exe	Swift Copy_44000.exe
PID 1408 wrote to memory of 572	1408	Swift Copy_44000.exe	Swift Copy_44000.exe
PID 1408 wrote to memory of 572	1408	Swift Copy_44000.exe	Swift Copy_44000.exe
PID 1408 wrote to memory of 572	1408	Swift Copy_44000.exe	Swift Copy_44000.exe
PID 1408 wrote to memory of 572	1408	Swift Copy_44000.exe	Swift Copy_44000.exe
PID 1408 wrote to memory of 572	1408	Swift Copy_44000.exe	Swift Copy_44000.exe
PID 1208 wrote to memory of 304	1208	Explorer.EXE	NETSTAT.EXE
PID 1208 wrote to memory of 304	1208	Explorer.EXE	NETSTAT.EXE
PID 1208 wrote to memory of 304	1208	Explorer.EXE	NETSTAT.EXE
PID 1208 wrote to memory of 304	1208	Explorer.EXE	NETSTAT.EXE
PID 304 wrote to memory of 1780	304	NETSTAT.EXE	cmd.exe
PID 304 wrote to memory of 1780	304	NETSTAT.EXE	cmd.exe
PID 304 wrote to memory of 1780	304	NETSTAT.EXE	cmd.exe
PID 304 wrote to memory of 1780	304	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\Swift Copy_44000.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Copy_44000.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\Swift Copy_44000.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Copy_44000.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Swift Copy_44000.exe"
3⤵
- Deletes itself
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsdC43A.tmp\yktbz.dll
MD5
31d640c277ad7bae2ef34f6f96a00e48

SHA1
79c82dc55f7809a09e743246c592b13738d82474

SHA256
de7e672353424bf282a669abc6002140cd1103eed39b5ddb685ffb3b0ccffe85

SHA512
d2ac29df6eeda50ca0f8252542f05a790b18d970e1d8ea7f6a2582c2dff33d948f0c616a5061c556522bc90e3cfdc69ecba0a520a8f848d577b46b220fc76934

Download Submit
memory/304-66-0x0000000000000000-mapping.dmp

Download
memory/304-71-0x0000000001EE0000-0x0000000001F70000-memory.dmp

Filesize
576KB

Download
memory/304-70-0x00000000021B0000-0x00000000024B3000-memory.dmp

Filesize
3.0MB

Download
memory/304-68-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/304-67-0x00000000005B0000-0x00000000005B9000-memory.dmp

Filesize
36KB

Download
memory/572-61-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/572-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/572-64-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/572-60-0x0000000000820000-0x0000000000B23000-memory.dmp

Filesize
3.0MB

Download
memory/572-58-0x000000000041D4D0-mapping.dmp

Download
memory/572-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1208-65-0x00000000061C0000-0x00000000062B4000-memory.dmp

Filesize
976KB

Download
memory/1208-62-0x0000000006060000-0x00000000061B9000-memory.dmp

Filesize
1.3MB

Download
memory/1208-72-0x00000000062C0000-0x00000000063F5000-memory.dmp

Filesize
1.2MB

Download
memory/1408-55-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1780-69-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads