xloader | 4f64511b423d79682dfad8f6b516516d32e801f0031f07b7e3c6c19798a64b95

General

Target

886375fa6ecb64fa31dd20b8688216cc.exe
Size

545KB
MD5

886375fa6ecb64fa31dd20b8688216cc
SHA1

5b23e5b6fbe5add5b7a891288c66ac2df05dd52a
SHA256

4f64511b423d79682dfad8f6b516516d32e801f0031f07b7e3c6c19798a64b95
SHA512

5a9065efc8ea242a3efb66e809de949e13f214660d1f79a66a86cfee32f966ae838b5fd6d34aacb7d82d4ebc8682f44364ba917b43d5770c3d7260a99c80a849

Score

10^/10

xloader pnug loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pnug

Decoy

natureate.com

ita-pots.website

sucohansmushroom.com

produrielrosen.com

gosystemupdatenow.online

jiskra.art

janwiench.com

norfolkfoodhall.com

iloveaddictss.com

pogozip.com

buyinstapva.com

teardirectionfreedom.xyz

0205168.com

apaixonadosporpugs.online

jawscoinc.com

crafter.quest

wikipedianow.com

radiopuls.net

kendama-co.com

goodstudycanada.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1164-56-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1164-57-0x000000000041D400-mapping.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

886375fa6ecb64fa31dd20b8688216cc.exe

pid process

976 886375fa6ecb64fa31dd20b8688216cc.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

886375fa6ecb64fa31dd20b8688216cc.exe

description pid process target process

PID 976 set thread context of 1164 976 886375fa6ecb64fa31dd20b8688216cc.exe 886375fa6ecb64fa31dd20b8688216cc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

886375fa6ecb64fa31dd20b8688216cc.exe

pid process

1164 886375fa6ecb64fa31dd20b8688216cc.exe

pid	process
976	886375fa6ecb64fa31dd20b8688216cc.exe

description	pid	process	target process
PID 976 set thread context of 1164	976	886375fa6ecb64fa31dd20b8688216cc.exe	886375fa6ecb64fa31dd20b8688216cc.exe

pid	process
1164	886375fa6ecb64fa31dd20b8688216cc.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

886375fa6ecb64fa31dd20b8688216cc.exe

description	pid	process	target process
PID 976 wrote to memory of 1164	976	886375fa6ecb64fa31dd20b8688216cc.exe	886375fa6ecb64fa31dd20b8688216cc.exe
PID 976 wrote to memory of 1164	976	886375fa6ecb64fa31dd20b8688216cc.exe	886375fa6ecb64fa31dd20b8688216cc.exe
PID 976 wrote to memory of 1164	976	886375fa6ecb64fa31dd20b8688216cc.exe	886375fa6ecb64fa31dd20b8688216cc.exe
PID 976 wrote to memory of 1164	976	886375fa6ecb64fa31dd20b8688216cc.exe	886375fa6ecb64fa31dd20b8688216cc.exe
PID 976 wrote to memory of 1164	976	886375fa6ecb64fa31dd20b8688216cc.exe	886375fa6ecb64fa31dd20b8688216cc.exe
PID 976 wrote to memory of 1164	976	886375fa6ecb64fa31dd20b8688216cc.exe	886375fa6ecb64fa31dd20b8688216cc.exe
PID 976 wrote to memory of 1164	976	886375fa6ecb64fa31dd20b8688216cc.exe	886375fa6ecb64fa31dd20b8688216cc.exe

C:\Users\Admin\AppData\Local\Temp\886375fa6ecb64fa31dd20b8688216cc.exe
"C:\Users\Admin\AppData\Local\Temp\886375fa6ecb64fa31dd20b8688216cc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\AppData\Local\Temp\886375fa6ecb64fa31dd20b8688216cc.exe
"C:\Users\Admin\AppData\Local\Temp\886375fa6ecb64fa31dd20b8688216cc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1164

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsiBCBC.tmp\dzqcmmok.dll
MD5
26cc8ace0ba0757e74668322ad6c988c

SHA1
b6c03df73c62d5cae48365856031bb15be5f30ea

SHA256
7602dd51d81cac5ea4f9c90e326bcaf2c445bc4f43a382645a99a2a4b391b836

SHA512
ecc36935593ee4ef0092d7ae7e445c2d2665779a7a97a4fe4235f68cfe34a29040a16a343dc9a1ca93ad7f1905f9658349c1bc6768c91822a72eeaa277c7ffac

Download Submit
memory/976-54-0x0000000076491000-0x0000000076493000-memory.dmp

Filesize
8KB

Download
memory/1164-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1164-57-0x000000000041D400-mapping.dmp

Download
memory/1164-58-0x0000000000950000-0x0000000000C53000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing