xloader | 44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5

General

Target

44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe
Size

882KB
MD5

97ccf6ebd6abe7786677f0e6e6b8aef0
SHA1

be06f330c04450b80848d8c5ed680dd8fce61c21
SHA256

44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5
SHA512

0f4d549a3798ba0e9e10bc2e7f680290f5fc5b11c39e3f784cf04c1c0969739d906bd556f5c7f722c4a6d4d2d1ed2ab3246d2e668f03149fa1a033eeff17e761

Score

10^/10

xloader nt3f loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3996-133-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/3996-135-0x000000000041D460-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe

description	pid	process	target process
PID 492 set thread context of 3996	492	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

680 schtasks.exe

pid	process
680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exepowershell.exe44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe

pid	process
492	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe
492	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe
2828	powershell.exe
3996	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe
3996	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe
2828	powershell.exe
2828	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	492	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe
Token: SeDebugPrivilege	2828	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe

C:\Users\Admin\AppData\Local\Temp\44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe
"C:\Users\Admin\AppData\Local\Temp\44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wLPRsknlyKFXuL.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wLPRsknlyKFXuL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDEA4.tmp"
2⤵
- Creates scheduled task(s)
PID:680

C:\Users\Admin\AppData\Local\Temp\44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe
"C:\Users\Admin\AppData\Local\Temp\44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe"
2⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe
"C:\Users\Admin\AppData\Local\Temp\44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDEA4.tmp
MD5
01f28a89a3d659e55bca8afddff29dcc

SHA1
e465f7b6eae10a562d885701ee8b629c8acf28f7

SHA256
ddd0b0870a3017805e40a541445f6239b367552d97da7da90e04bb4a7519936f

SHA512
642b89b395be3e50cca4608eb41b4a36000ffe07053908eae50fd7691de4207208a853fe82ad62192c856bcef46ed8c3289c4e7ee1438e9ccd270dcfe3201bec

Download Submit
memory/492-116-0x0000000000030000-0x0000000000114000-memory.dmp

Filesize
912KB

Download
memory/492-117-0x0000000004DE0000-0x00000000052DE000-memory.dmp

Filesize
5.0MB

Download
memory/492-118-0x0000000004980000-0x0000000004A12000-memory.dmp

Filesize
584KB

Download
memory/492-119-0x00000000052E0000-0x0000000005630000-memory.dmp

Filesize
3.3MB

Download
memory/492-120-0x00000000048E0000-0x0000000004DDE000-memory.dmp

Filesize
5.0MB

Download
memory/492-121-0x0000000004B00000-0x0000000004B0A000-memory.dmp

Filesize
40KB

Download
memory/492-122-0x00000000083B0000-0x00000000083BE000-memory.dmp

Filesize
56KB

Download
memory/492-123-0x00000000083C0000-0x000000000840B000-memory.dmp

Filesize
300KB

Download
memory/492-124-0x0000000008730000-0x00000000087CC000-memory.dmp

Filesize
624KB

Download
memory/492-125-0x00000000087D0000-0x000000000882E000-memory.dmp

Filesize
376KB

Download
memory/492-115-0x0000000000030000-0x0000000000114000-memory.dmp

Filesize
912KB

Download
memory/680-127-0x0000000000000000-mapping.dmp

Download
memory/2828-139-0x0000000007A50000-0x0000000007AB6000-memory.dmp

Filesize
408KB

Download
memory/2828-145-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/2828-130-0x0000000006B70000-0x0000000006BA6000-memory.dmp

Filesize
216KB

Download
memory/2828-129-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/2828-132-0x0000000007350000-0x0000000007978000-memory.dmp

Filesize
6.2MB

Download
memory/2828-373-0x0000000009690000-0x0000000009698000-memory.dmp

Filesize
32KB

Download
memory/2828-368-0x0000000009690000-0x0000000009698000-memory.dmp

Filesize
32KB

Download
memory/2828-136-0x0000000006D12000-0x0000000006D13000-memory.dmp

Filesize
4KB

Download
memory/2828-134-0x0000000006D10000-0x0000000006D11000-memory.dmp

Filesize
4KB

Download
memory/2828-137-0x0000000007180000-0x00000000071A2000-memory.dmp

Filesize
136KB

Download
memory/2828-138-0x0000000007980000-0x00000000079E6000-memory.dmp

Filesize
408KB

Download
memory/2828-126-0x0000000000000000-mapping.dmp

Download
memory/2828-140-0x0000000007C30000-0x0000000007F80000-memory.dmp

Filesize
3.3MB

Download
memory/2828-367-0x00000000096A0000-0x00000000096BA000-memory.dmp

Filesize
104KB

Download
memory/2828-142-0x0000000007B00000-0x0000000007B1C000-memory.dmp

Filesize
112KB

Download
memory/2828-143-0x0000000008150000-0x000000000819B000-memory.dmp

Filesize
300KB

Download
memory/2828-144-0x0000000008360000-0x00000000083D6000-memory.dmp

Filesize
472KB

Download
memory/2828-128-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/2828-153-0x0000000007350000-0x0000000007978000-memory.dmp

Filesize
6.2MB

Download
memory/2828-155-0x00000000091E0000-0x0000000009213000-memory.dmp

Filesize
204KB

Download
memory/2828-156-0x00000000091E0000-0x0000000009213000-memory.dmp

Filesize
204KB

Download
memory/2828-154-0x000000007E6F0000-0x000000007E6F1000-memory.dmp

Filesize
4KB

Download
memory/2828-157-0x0000000007180000-0x00000000071A2000-memory.dmp

Filesize
136KB

Download
memory/2828-158-0x0000000007980000-0x00000000079E6000-memory.dmp

Filesize
408KB

Download
memory/2828-159-0x0000000007A50000-0x0000000007AB6000-memory.dmp

Filesize
408KB

Download
memory/2828-160-0x0000000008150000-0x000000000819B000-memory.dmp

Filesize
300KB

Download
memory/2828-161-0x0000000008360000-0x00000000083D6000-memory.dmp

Filesize
472KB

Download
memory/2828-162-0x00000000091C0000-0x00000000091DE000-memory.dmp

Filesize
120KB

Download
memory/2828-167-0x0000000009310000-0x00000000093B5000-memory.dmp

Filesize
660KB

Download
memory/2828-168-0x0000000006D13000-0x0000000006D14000-memory.dmp

Filesize
4KB

Download
memory/2828-169-0x0000000009710000-0x00000000097A4000-memory.dmp

Filesize
592KB

Download
memory/2828-362-0x00000000096A0000-0x00000000096BA000-memory.dmp

Filesize
104KB

Download
memory/3996-141-0x0000000000FE0000-0x0000000001300000-memory.dmp

Filesize
3.1MB

Download
memory/3996-135-0x000000000041D460-mapping.dmp

Download
memory/3996-133-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

description	pid	process	target process
PID 492 wrote to memory of 2828	492	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe	powershell.exe
PID 492 wrote to memory of 2828	492	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe	powershell.exe
PID 492 wrote to memory of 2828	492	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe	powershell.exe
PID 492 wrote to memory of 680	492	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe	schtasks.exe
PID 492 wrote to memory of 680	492	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe	schtasks.exe
PID 492 wrote to memory of 680	492	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe	schtasks.exe
PID 492 wrote to memory of 3232	492	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe
PID 492 wrote to memory of 3232	492	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe
PID 492 wrote to memory of 3232	492	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe
PID 492 wrote to memory of 3996	492	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe
PID 492 wrote to memory of 3996	492	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe
PID 492 wrote to memory of 3996	492	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe
PID 492 wrote to memory of 3996	492	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe
PID 492 wrote to memory of 3996	492	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe
PID 492 wrote to memory of 3996	492	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe	44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads