xloader | 5da3ef49a658c41da32f3258e3124c24e9641496ea1c2443d40c680a9f7b0e8c

General

Target

Swift Copy_44000.exe
Size

320KB
MD5

03d853072e1cab50b55cce6883e5e72e
SHA1

a3d35ebdb90c950db690d900c57b804cb4874b4e
SHA256

5da3ef49a658c41da32f3258e3124c24e9641496ea1c2443d40c680a9f7b0e8c
SHA512

0229de62952ebc975333eb6ec25e9d47fd7f658e44661d198d17a8b6b833291b42f4f08e7ec41e574dd2dba8d58da54c0c0375e1d764bd26fe84fc3aa70d8116

Score

10^/10

xloader e8ia loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

e8ia

C2

http://www.helpfromjames.com/e8ia/

Decoy

le-hameau-enchanteur.com

quantumsystem-au.club

engravedeeply.com

yesrecompensas.lat

cavallitowerofficials.com

800seaspray.com

skifun-jetski.com

thouartafoot.com

nft2dollar.com

petrestore.online

cjcutthecord2.com

tippimccullough.com

gadget198.xyz

djmiriam.com

bitbasepay.com

cukierniawz.com

mcclureic.xyz

inthekitchenshakinandbakin.com

busy-clicks.com

melaniemorris.online

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4316-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4316-117-0x000000000041D4D0-mapping.dmp	xloader
behavioral2/memory/4436-124-0x0000000003330000-0x0000000003359000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

Swift Copy_44000.exe

pid process

3828 Swift Copy_44000.exe

pid	process
3828	Swift Copy_44000.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Swift Copy_44000.exeSwift Copy_44000.exenetsh.exe

description	pid	process	target process
PID 3828 set thread context of 4316	3828	Swift Copy_44000.exe	Swift Copy_44000.exe
PID 4316 set thread context of 2672	4316	Swift Copy_44000.exe	Explorer.EXE
PID 4436 set thread context of 2672	4436	netsh.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

Swift Copy_44000.exenetsh.exe

pid	process
4316	Swift Copy_44000.exe
4316	Swift Copy_44000.exe
4316	Swift Copy_44000.exe
4316	Swift Copy_44000.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe
4436	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2672 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Swift Copy_44000.exenetsh.exe

pid process

4316 Swift Copy_44000.exe
4316 Swift Copy_44000.exe
4316 Swift Copy_44000.exe
4436 netsh.exe
4436 netsh.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Swift Copy_44000.exenetsh.exe

description pid process

Token: SeDebugPrivilege 4316 Swift Copy_44000.exe
Token: SeDebugPrivilege 4436 netsh.exe

pid	process
2672	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4316	Swift Copy_44000.exe
Token: SeDebugPrivilege	4436	netsh.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Swift Copy_44000.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 3828 wrote to memory of 4316	3828	Swift Copy_44000.exe	Swift Copy_44000.exe
PID 3828 wrote to memory of 4316	3828	Swift Copy_44000.exe	Swift Copy_44000.exe
PID 3828 wrote to memory of 4316	3828	Swift Copy_44000.exe	Swift Copy_44000.exe
PID 3828 wrote to memory of 4316	3828	Swift Copy_44000.exe	Swift Copy_44000.exe
PID 3828 wrote to memory of 4316	3828	Swift Copy_44000.exe	Swift Copy_44000.exe
PID 3828 wrote to memory of 4316	3828	Swift Copy_44000.exe	Swift Copy_44000.exe
PID 2672 wrote to memory of 4436	2672	Explorer.EXE	netsh.exe
PID 2672 wrote to memory of 4436	2672	Explorer.EXE	netsh.exe
PID 2672 wrote to memory of 4436	2672	Explorer.EXE	netsh.exe
PID 4436 wrote to memory of 4424	4436	netsh.exe	cmd.exe
PID 4436 wrote to memory of 4424	4436	netsh.exe	cmd.exe
PID 4436 wrote to memory of 4424	4436	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Local\Temp\Swift Copy_44000.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Copy_44000.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3828

C:\Users\Admin\AppData\Local\Temp\Swift Copy_44000.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Copy_44000.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Swift Copy_44000.exe"
3⤵
PID:4424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsdF222.tmp\yktbz.dll
MD5
31d640c277ad7bae2ef34f6f96a00e48

SHA1
79c82dc55f7809a09e743246c592b13738d82474

SHA256
de7e672353424bf282a669abc6002140cd1103eed39b5ddb685ffb3b0ccffe85

SHA512
d2ac29df6eeda50ca0f8252542f05a790b18d970e1d8ea7f6a2582c2dff33d948f0c616a5061c556522bc90e3cfdc69ecba0a520a8f848d577b46b220fc76934

Download Submit
memory/2672-121-0x00000000058D0000-0x0000000005A48000-memory.dmp

Filesize
1.5MB

Download
memory/2672-128-0x0000000007810000-0x000000000795A000-memory.dmp

Filesize
1.3MB

Download
memory/4316-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4316-117-0x000000000041D4D0-mapping.dmp

Download
memory/4316-119-0x0000000000AA0000-0x0000000000DC0000-memory.dmp

Filesize
3.1MB

Download
memory/4316-120-0x00000000009D0000-0x00000000009E1000-memory.dmp

Filesize
68KB

Download
memory/4424-125-0x0000000000000000-mapping.dmp

Download
memory/4436-124-0x0000000003330000-0x0000000003359000-memory.dmp

Filesize
164KB

Download
memory/4436-123-0x0000000000880000-0x000000000089E000-memory.dmp

Filesize
120KB

Download
memory/4436-126-0x0000000003780000-0x0000000003AA0000-memory.dmp

Filesize
3.1MB

Download
memory/4436-127-0x0000000003670000-0x0000000003700000-memory.dmp

Filesize
576KB

Download
memory/4436-122-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads