xloader | 44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5

General

Target

97ccf6ebd6abe7786677f0e6e6b8aef0.exe
Size

882KB
MD5

97ccf6ebd6abe7786677f0e6e6b8aef0
SHA1

be06f330c04450b80848d8c5ed680dd8fce61c21
SHA256

44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5
SHA512

0f4d549a3798ba0e9e10bc2e7f680290f5fc5b11c39e3f784cf04c1c0969739d906bd556f5c7f722c4a6d4d2d1ed2ab3246d2e668f03149fa1a033eeff17e761

Score

10^/10

xloader nt3f loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3124-132-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3124-133-0x000000000041D460-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

97ccf6ebd6abe7786677f0e6e6b8aef0.exe

description pid process target process

PID 2760 set thread context of 3124 2760 97ccf6ebd6abe7786677f0e6e6b8aef0.exe 97ccf6ebd6abe7786677f0e6e6b8aef0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2840 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

97ccf6ebd6abe7786677f0e6e6b8aef0.exepowershell.exe

pid process

3124 97ccf6ebd6abe7786677f0e6e6b8aef0.exe
3124 97ccf6ebd6abe7786677f0e6e6b8aef0.exe
1632 powershell.exe
1632 powershell.exe
1632 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1632 powershell.exe

description	pid	process	target process
PID 2760 set thread context of 3124	2760	97ccf6ebd6abe7786677f0e6e6b8aef0.exe	97ccf6ebd6abe7786677f0e6e6b8aef0.exe

pid	process
2840	schtasks.exe

pid	process
3124	97ccf6ebd6abe7786677f0e6e6b8aef0.exe
3124	97ccf6ebd6abe7786677f0e6e6b8aef0.exe
1632	powershell.exe
1632	powershell.exe
1632	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1632	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

97ccf6ebd6abe7786677f0e6e6b8aef0.exe

description	pid	process	target process
PID 2760 wrote to memory of 1632	2760	97ccf6ebd6abe7786677f0e6e6b8aef0.exe	powershell.exe
PID 2760 wrote to memory of 1632	2760	97ccf6ebd6abe7786677f0e6e6b8aef0.exe	powershell.exe
PID 2760 wrote to memory of 1632	2760	97ccf6ebd6abe7786677f0e6e6b8aef0.exe	powershell.exe
PID 2760 wrote to memory of 2840	2760	97ccf6ebd6abe7786677f0e6e6b8aef0.exe	schtasks.exe
PID 2760 wrote to memory of 2840	2760	97ccf6ebd6abe7786677f0e6e6b8aef0.exe	schtasks.exe
PID 2760 wrote to memory of 2840	2760	97ccf6ebd6abe7786677f0e6e6b8aef0.exe	schtasks.exe
PID 2760 wrote to memory of 3124	2760	97ccf6ebd6abe7786677f0e6e6b8aef0.exe	97ccf6ebd6abe7786677f0e6e6b8aef0.exe
PID 2760 wrote to memory of 3124	2760	97ccf6ebd6abe7786677f0e6e6b8aef0.exe	97ccf6ebd6abe7786677f0e6e6b8aef0.exe
PID 2760 wrote to memory of 3124	2760	97ccf6ebd6abe7786677f0e6e6b8aef0.exe	97ccf6ebd6abe7786677f0e6e6b8aef0.exe
PID 2760 wrote to memory of 3124	2760	97ccf6ebd6abe7786677f0e6e6b8aef0.exe	97ccf6ebd6abe7786677f0e6e6b8aef0.exe
PID 2760 wrote to memory of 3124	2760	97ccf6ebd6abe7786677f0e6e6b8aef0.exe	97ccf6ebd6abe7786677f0e6e6b8aef0.exe
PID 2760 wrote to memory of 3124	2760	97ccf6ebd6abe7786677f0e6e6b8aef0.exe	97ccf6ebd6abe7786677f0e6e6b8aef0.exe

C:\Users\Admin\AppData\Local\Temp\97ccf6ebd6abe7786677f0e6e6b8aef0.exe
"C:\Users\Admin\AppData\Local\Temp\97ccf6ebd6abe7786677f0e6e6b8aef0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wLPRsknlyKFXuL.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wLPRsknlyKFXuL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEA5C.tmp"
2⤵
- Creates scheduled task(s)
PID:2840

C:\Users\Admin\AppData\Local\Temp\97ccf6ebd6abe7786677f0e6e6b8aef0.exe
"C:\Users\Admin\AppData\Local\Temp\97ccf6ebd6abe7786677f0e6e6b8aef0.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEA5C.tmp
MD5
01f28a89a3d659e55bca8afddff29dcc

SHA1
e465f7b6eae10a562d885701ee8b629c8acf28f7

SHA256
ddd0b0870a3017805e40a541445f6239b367552d97da7da90e04bb4a7519936f

SHA512
642b89b395be3e50cca4608eb41b4a36000ffe07053908eae50fd7691de4207208a853fe82ad62192c856bcef46ed8c3289c4e7ee1438e9ccd270dcfe3201bec

Download Submit
memory/1632-158-0x0000000007CD0000-0x0000000007D36000-memory.dmp

Filesize
408KB

Download
memory/1632-168-0x0000000009A60000-0x0000000009AF4000-memory.dmp

Filesize
592KB

Download
memory/1632-373-0x00000000099F0000-0x00000000099F8000-memory.dmp

Filesize
32KB

Download
memory/1632-138-0x0000000007CD0000-0x0000000007D36000-memory.dmp

Filesize
408KB

Download
memory/1632-367-0x0000000009A00000-0x0000000009A1A000-memory.dmp

Filesize
104KB

Download
memory/1632-362-0x0000000009A00000-0x0000000009A1A000-memory.dmp

Filesize
104KB

Download
memory/1632-171-0x0000000004A53000-0x0000000004A54000-memory.dmp

Filesize
4KB

Download
memory/1632-139-0x0000000007D40000-0x0000000007DA6000-memory.dmp

Filesize
408KB

Download
memory/1632-167-0x0000000009880000-0x0000000009925000-memory.dmp

Filesize
660KB

Download
memory/1632-162-0x0000000009720000-0x000000000973E000-memory.dmp

Filesize
120KB

Download
memory/1632-126-0x0000000000000000-mapping.dmp

Download
memory/1632-161-0x00000000086F0000-0x0000000008766000-memory.dmp

Filesize
472KB

Download
memory/1632-128-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/1632-129-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/1632-160-0x00000000083A0000-0x00000000083EB000-memory.dmp

Filesize
300KB

Download
memory/1632-131-0x0000000006F00000-0x0000000006F36000-memory.dmp

Filesize
216KB

Download
memory/1632-159-0x0000000007D40000-0x0000000007DA6000-memory.dmp

Filesize
408KB

Download
memory/1632-157-0x000000007E7E0000-0x000000007E7E1000-memory.dmp

Filesize
4KB

Download
memory/1632-134-0x0000000007570000-0x0000000007B98000-memory.dmp

Filesize
6.2MB

Download
memory/1632-135-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/1632-136-0x0000000004A52000-0x0000000004A53000-memory.dmp

Filesize
4KB

Download
memory/1632-137-0x00000000074F0000-0x0000000007512000-memory.dmp

Filesize
136KB

Download
memory/1632-368-0x00000000099F0000-0x00000000099F8000-memory.dmp

Filesize
32KB

Download
memory/1632-154-0x0000000009740000-0x0000000009773000-memory.dmp

Filesize
204KB

Download
memory/1632-143-0x00000000083A0000-0x00000000083EB000-memory.dmp

Filesize
300KB

Download
memory/1632-156-0x00000000074F0000-0x0000000007512000-memory.dmp

Filesize
136KB

Download
memory/1632-142-0x0000000007E10000-0x0000000007E2C000-memory.dmp

Filesize
112KB

Download
memory/1632-140-0x0000000007F90000-0x00000000082E0000-memory.dmp

Filesize
3.3MB

Download
memory/1632-144-0x00000000086F0000-0x0000000008766000-memory.dmp

Filesize
472KB

Download
memory/1632-145-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/1632-153-0x0000000007570000-0x0000000007B98000-memory.dmp

Filesize
6.2MB

Download
memory/1632-155-0x0000000009740000-0x0000000009773000-memory.dmp

Filesize
204KB

Download
memory/2760-116-0x00000000008B0000-0x0000000000994000-memory.dmp

Filesize
912KB

Download
memory/2760-122-0x0000000008D70000-0x0000000008D7E000-memory.dmp

Filesize
56KB

Download
memory/2760-118-0x0000000005380000-0x0000000005412000-memory.dmp

Filesize
584KB

Download
memory/2760-125-0x0000000009190000-0x00000000091EE000-memory.dmp

Filesize
376KB

Download
memory/2760-119-0x0000000005580000-0x00000000058D0000-memory.dmp

Filesize
3.3MB

Download
memory/2760-120-0x0000000002E10000-0x0000000002E1A000-memory.dmp

Filesize
40KB

Download
memory/2760-117-0x0000000005A80000-0x0000000005F7E000-memory.dmp

Filesize
5.0MB

Download
memory/2760-124-0x00000000090F0000-0x000000000918C000-memory.dmp

Filesize
624KB

Download
memory/2760-121-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/2760-123-0x0000000008D80000-0x0000000008DCB000-memory.dmp

Filesize
300KB

Download
memory/2760-115-0x00000000008B0000-0x0000000000994000-memory.dmp

Filesize
912KB

Download
memory/2840-127-0x0000000000000000-mapping.dmp

Download
memory/3124-141-0x00000000015A0000-0x00000000018C0000-memory.dmp

Filesize
3.1MB

Download
memory/3124-132-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3124-133-0x000000000041D460-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads