xloader | dde5521f4b34414e6850fc869de027df46f3e4d5a1cb3cbb483c2900abe49c0d

General

Target

SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe
Size

1.0MB
MD5

3d059df1a6a9edc0e20241113bd21c87
SHA1

e8bcc9b32d15d45d1341f3589478ba87c2fd976d
SHA256

dde5521f4b34414e6850fc869de027df46f3e4d5a1cb3cbb483c2900abe49c0d
SHA512

07819f8b883c062a50b582805fe6886218e80e8e8d67ce91c4ee463e2a6b8579554352be030fc5ce0ebc8cb82000dd71fc5b85275f40ccdee915a9f5e154931b

Score

10^/10

xloader ea0r loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

C2

http://www.asiapubz-hk.com/ea0r/

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2136-132-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2136-133-0x000000000041D410-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe

description	pid	process	target process
PID 3880 set thread context of 2136	3880	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2520 schtasks.exe

pid	process
2520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exeSecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exepowershell.exe

pid	process
3880	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe
3880	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe
2136	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe
2136	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe
2700	powershell.exe
2700	powershell.exe
2700	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3880 SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe
Token: SeDebugPrivilege 2700 powershell.exe

description	pid	process
Token: SeDebugPrivilege	3880	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe
Token: SeDebugPrivilege	2700	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe

description	pid	process	target process
PID 3880 wrote to memory of 2700	3880	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe	powershell.exe
PID 3880 wrote to memory of 2700	3880	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe	powershell.exe
PID 3880 wrote to memory of 2700	3880	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe	powershell.exe
PID 3880 wrote to memory of 2520	3880	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe	schtasks.exe
PID 3880 wrote to memory of 2520	3880	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe	schtasks.exe
PID 3880 wrote to memory of 2520	3880	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe	schtasks.exe
PID 3880 wrote to memory of 2136	3880	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe
PID 3880 wrote to memory of 2136	3880	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe
PID 3880 wrote to memory of 2136	3880	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe
PID 3880 wrote to memory of 2136	3880	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe
PID 3880 wrote to memory of 2136	3880	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe
PID 3880 wrote to memory of 2136	3880	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe	SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AiLQLqVXxoE.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AiLQLqVXxoE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBBCA.tmp"
2⤵
- Creates scheduled task(s)
PID:2520

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1128.5876.4979.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBBCA.tmp
MD5
fabf4e8bcacfab52aa2d3cbf6d483768

SHA1
2cf3a67b939579937b79ab9ea3b945f04f67eb76

SHA256
a04d491f21d73f1f6f331ce1e0e75a1f5dd03c8d55c6a37a0c6ab28de766c106

SHA512
4141e076cf878c3158efc133c8e36d9926fa273f19d0b2534992e09f9385693e9b2f64328bfb8c0f4c96a0762bacdcc48d08bf9e9eaeab7c67782ec8dc690537

Download Submit
memory/2136-140-0x00000000016B0000-0x00000000019D0000-memory.dmp

Filesize
3.1MB

Download
memory/2136-133-0x000000000041D410-mapping.dmp

Download
memory/2136-132-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2520-126-0x0000000000000000-mapping.dmp

Download
memory/2700-142-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/2700-167-0x00000000068A3000-0x00000000068A4000-memory.dmp

Filesize
4KB

Download
memory/2700-136-0x0000000006B50000-0x0000000006B51000-memory.dmp

Filesize
4KB

Download
memory/2700-135-0x00000000068A2000-0x00000000068A3000-memory.dmp

Filesize
4KB

Download
memory/2700-125-0x0000000000000000-mapping.dmp

Download
memory/2700-134-0x00000000068A0000-0x00000000068A1000-memory.dmp

Filesize
4KB

Download
memory/2700-127-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2700-128-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2700-166-0x000000007EC20000-0x000000007EC21000-memory.dmp

Filesize
4KB

Download
memory/2700-130-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/2700-131-0x0000000006EE0000-0x0000000006EE1000-memory.dmp

Filesize
4KB

Download
memory/2700-143-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

Filesize
4KB

Download
memory/2700-165-0x0000000008BF0000-0x0000000008BF1000-memory.dmp

Filesize
4KB

Download
memory/2700-160-0x0000000008A90000-0x0000000008A91000-memory.dmp

Filesize
4KB

Download
memory/2700-168-0x0000000008FD0000-0x0000000008FD1000-memory.dmp

Filesize
4KB

Download
memory/2700-153-0x0000000008AB0000-0x0000000008AE3000-memory.dmp

Filesize
204KB

Download
memory/2700-137-0x0000000006BF0000-0x0000000006BF1000-memory.dmp

Filesize
4KB

Download
memory/2700-138-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/2700-139-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/2700-144-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2700-141-0x0000000006E60000-0x0000000006E61000-memory.dmp

Filesize
4KB

Download
memory/3880-117-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

Filesize
4KB

Download
memory/3880-118-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/3880-115-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/3880-123-0x0000000007E60000-0x0000000007E61000-memory.dmp

Filesize
4KB

Download
memory/3880-124-0x0000000007F00000-0x0000000008016000-memory.dmp

Filesize
1.1MB

Download
memory/3880-121-0x00000000059B0000-0x00000000059B8000-memory.dmp

Filesize
32KB

Download
memory/3880-120-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/3880-122-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

Filesize
4KB

Download
memory/3880-119-0x00000000056B0000-0x0000000005BAE000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads