xloader | b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255

General

Target

b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe
Size

457KB
MD5

e4133afba26efde5b01959df65c3eeb4
SHA1

ea2b48d0f50918e47b4657fd5774c2766c640f0a
SHA256

b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255
SHA512

563b0a1c9663c7c8a768ca6a50e8a27aa775a15282bf9dc00dc03d24ce8114a4c521d250e8ca49dea05549b791806dcd91bb856f8aa725155b2d52c19f7392ba

Score

10^/10

xloader fqiq loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

fqiq

Decoy

driventow.com

ipatchwork.today

bolder.equipment

seal-brother.com

mountlaketerraceapartments.com

weeden.xyz

sanlifalan.com

athafood.com

isshinn1.com

creationslazzaroni.com

eclecticrenaissancewoman.com

satellitephonstore.com

cotchildcare.com

yamacorp.digital

ff4cuno43.xyz

quicksticks.community

govindfinance.com

farmersfirstseed.com

megacinema.club

tablescaperendezvous4two.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3476-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/3476-117-0x000000000041D4B0-mapping.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe

pid process

2636 b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe

pid	process
2636	b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe

description	pid	process	target process
PID 2636 set thread context of 3476	2636	b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe	b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe

pid	process
3476	b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe
3476	b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe

description	pid	process	target process
PID 2636 wrote to memory of 3476	2636	b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe	b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe
PID 2636 wrote to memory of 3476	2636	b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe	b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe
PID 2636 wrote to memory of 3476	2636	b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe	b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe
PID 2636 wrote to memory of 3476	2636	b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe	b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe
PID 2636 wrote to memory of 3476	2636	b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe	b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe
PID 2636 wrote to memory of 3476	2636	b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe	b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe

C:\Users\Admin\AppData\Local\Temp\b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe
"C:\Users\Admin\AppData\Local\Temp\b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Local\Temp\b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe
"C:\Users\Admin\AppData\Local\Temp\b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsiA48F.tmp\uaxqabeequz.dll
MD5
75e4e911b7ec3a7450d28fd843205b8c

SHA1
17751bcad2cebfad753d5f5b9c6ffd6b72cc5871

SHA256
c260f3c548190ad93420471811c98aaa3b482a4362ebf6defbedb098386d4c0f

SHA512
f5786b90f002caa0646e1eff955192f1f8686b9c63e783f6a312f01585c09660fbf2b6e46fa47cdf10e369938b732cc32dbfc5c6ffb9be3f6a57411f7c14e73d

Download Submit
memory/3476-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3476-117-0x000000000041D4B0-mapping.dmp

Download
memory/3476-118-0x0000000000A70000-0x0000000000D90000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads