xloader | 1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d

General

Target

1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe
Size

594KB
MD5

3307bd369cf29789bc0e4a28a60212bc
SHA1

a3427db83936cd9e5af6c98019945833680c007a
SHA256

1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d
SHA512

bde682298b8c8ea82529ee07e4f3c68b18a8e1b8b9f94f3c119452341d4802f029a09f4a2e94dbf71a7e37c3aec769c3e6cacbf2633cb4f503fe8788a2b37c8f

Score

10^/10

xloader pnug loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pnug

Decoy

natureate.com

ita-pots.website

sucohansmushroom.com

produrielrosen.com

gosystemupdatenow.online

jiskra.art

janwiench.com

norfolkfoodhall.com

iloveaddictss.com

pogozip.com

buyinstapva.com

teardirectionfreedom.xyz

0205168.com

apaixonadosporpugs.online

jawscoinc.com

crafter.quest

wikipedianow.com

radiopuls.net

kendama-co.com

goodstudycanada.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2744-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2744-117-0x000000000041D400-mapping.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe

pid process

2420 1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe

pid	process
2420	1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe

description	pid	process	target process
PID 2420 set thread context of 2744	2420	1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe	1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe

pid	process
2744	1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe
2744	1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe

description	pid	process	target process
PID 2420 wrote to memory of 2744	2420	1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe	1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe
PID 2420 wrote to memory of 2744	2420	1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe	1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe
PID 2420 wrote to memory of 2744	2420	1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe	1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe
PID 2420 wrote to memory of 2744	2420	1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe	1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe
PID 2420 wrote to memory of 2744	2420	1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe	1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe
PID 2420 wrote to memory of 2744	2420	1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe	1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe

C:\Users\Admin\AppData\Local\Temp\1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe
"C:\Users\Admin\AppData\Local\Temp\1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2420

C:\Users\Admin\AppData\Local\Temp\1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe
"C:\Users\Admin\AppData\Local\Temp\1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsj9A4F.tmp\yiinyuiygtr.dll
MD5
d4ad23215639a5f19713244b43b9436b

SHA1
90aac5a4f115241015b0b2e2635accf4b8dffded

SHA256
b854dfeef6729df501459ff0599d87d9bbc0201cb822d121376481910bb767b9

SHA512
82a1a850c96f14d266052bd403001e3c4df5b879bfeed795202746d0e854c41ef9f4d4a40529b04d90771514d72bb973d3c0d79a55b81f791ab88ef7df64afd2

Download Submit
memory/2744-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2744-117-0x000000000041D400-mapping.dmp

Download
memory/2744-118-0x00000000009E0000-0x0000000000D00000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads