xloader | a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5

General

Target

a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe
Size

400KB
MD5

97d27b18d29a1c75d82c8877c61e37e8
SHA1

538eaaa9a9f4dc60e672cb0c0649e4412429d0c7
SHA256

a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5
SHA512

42970720ad539183d94e5db9ea23ca8c472293cd58284e0144b229fa4743bed31b85453ea6b9fbc3115704b5e74db56fc12219b32c9927903147f74b2f00650f

Score

10^/10

xloader i5nb loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

i5nb

Decoy

integratedheartspsychology.com

tappsis.land

norfg.com

1531700.win

oneplusoneexperience.com

circlessalaries.com

tlcremodelingcompany.com

susalud.info

liyanghua.club

pink-zemi.com

orphe.biz

themodelclarified.com

candidate.tools

morotrip.com

d2dfms.com

leisuresabah.com

bjbwx114.com

lz-fcaini1718-hw0917-bs.xyz

at-commerce-co.net

buymypolicy.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/420-132-0x000000000041D460-mapping.dmp	xloader
behavioral1/memory/420-131-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe

description	pid	process	target process
PID 3800 set thread context of 420	3800	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2836 schtasks.exe

pid	process
2836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exepowershell.exea2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe

pid	process
3800	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe
3800	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe
372	powershell.exe
420	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe
420	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe
372	powershell.exe
372	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3800	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe
Token: SeDebugPrivilege	372	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe

C:\Users\Admin\AppData\Local\Temp\a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe
"C:\Users\Admin\AppData\Local\Temp\a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\btIaTzmfnX.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\btIaTzmfnX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A65.tmp"
2⤵
- Creates scheduled task(s)
PID:2836

C:\Users\Admin\AppData\Local\Temp\a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe
"C:\Users\Admin\AppData\Local\Temp\a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe"
2⤵
PID:380

C:\Users\Admin\AppData\Local\Temp\a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe
"C:\Users\Admin\AppData\Local\Temp\a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3A65.tmp
MD5
7562a83ae5171d941fcdf79d0c114f2a

SHA1
98bf495f40c27ca0671f16bea11e3c1e681db225

SHA256
766d92bc9bf693b03785d192bda35716a319ad39a18d2d67344dd0b3d92eaf45

SHA512
0a8ccab1cc8be915f7b10eb515a64f42bfdf87d8e618bb9c50b291a9395a56b07eee48917ce58e8735c30b071d4a80ba5cfbff768d34db7321a36b4ac0b00600

Download Submit
memory/372-155-0x0000000004600000-0x0000000004622000-memory.dmp

Filesize
136KB

Download
memory/372-367-0x0000000008ED0000-0x0000000008ED8000-memory.dmp

Filesize
32KB

Download
memory/372-372-0x0000000008ED0000-0x0000000008ED8000-memory.dmp

Filesize
32KB

Download
memory/372-139-0x00000000075F0000-0x0000000007940000-memory.dmp

Filesize
3.3MB

Download
memory/372-366-0x0000000008EE0000-0x0000000008EFA000-memory.dmp

Filesize
104KB

Download
memory/372-361-0x0000000008EE0000-0x0000000008EFA000-memory.dmp

Filesize
104KB

Download
memory/372-220-0x0000000004633000-0x0000000004634000-memory.dmp

Filesize
4KB

Download
memory/372-167-0x0000000008F50000-0x0000000008FE4000-memory.dmp

Filesize
592KB

Download
memory/372-166-0x0000000008D70000-0x0000000008E15000-memory.dmp

Filesize
660KB

Download
memory/372-125-0x0000000000000000-mapping.dmp

Download
memory/372-161-0x0000000008A10000-0x0000000008A2E000-memory.dmp

Filesize
120KB

Download
memory/372-127-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/372-128-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/372-159-0x0000000007BA0000-0x0000000007C16000-memory.dmp

Filesize
472KB

Download
memory/372-130-0x00000000045C0000-0x00000000045F6000-memory.dmp

Filesize
216KB

Download
memory/372-160-0x000000007E940000-0x000000007E941000-memory.dmp

Filesize
4KB

Download
memory/372-136-0x0000000004630000-0x0000000004631000-memory.dmp

Filesize
4KB

Download
memory/372-133-0x0000000006FC0000-0x00000000075E8000-memory.dmp

Filesize
6.2MB

Download
memory/372-134-0x0000000004600000-0x0000000004622000-memory.dmp

Filesize
136KB

Download
memory/372-135-0x0000000006DC0000-0x0000000006E26000-memory.dmp

Filesize
408KB

Download
memory/372-137-0x0000000006F30000-0x0000000006F96000-memory.dmp

Filesize
408KB

Download
memory/372-138-0x0000000004632000-0x0000000004633000-memory.dmp

Filesize
4KB

Download
memory/372-140-0x0000000000EC0000-0x0000000000EDC000-memory.dmp

Filesize
112KB

Download
memory/372-158-0x0000000006D50000-0x0000000006D9B000-memory.dmp

Filesize
300KB

Download
memory/372-157-0x0000000006F30000-0x0000000006F96000-memory.dmp

Filesize
408KB

Download
memory/372-141-0x0000000006D50000-0x0000000006D9B000-memory.dmp

Filesize
300KB

Download
memory/372-156-0x0000000006DC0000-0x0000000006E26000-memory.dmp

Filesize
408KB

Download
memory/372-143-0x0000000007BA0000-0x0000000007C16000-memory.dmp

Filesize
472KB

Download
memory/372-144-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/372-152-0x0000000006FC0000-0x00000000075E8000-memory.dmp

Filesize
6.2MB

Download
memory/372-153-0x0000000008C30000-0x0000000008C63000-memory.dmp

Filesize
204KB

Download
memory/372-154-0x0000000008C30000-0x0000000008C63000-memory.dmp

Filesize
204KB

Download
memory/420-132-0x000000000041D460-mapping.dmp

Download
memory/420-142-0x0000000001400000-0x0000000001720000-memory.dmp

Filesize
3.1MB

Download
memory/420-131-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2836-126-0x0000000000000000-mapping.dmp

Download
memory/3800-124-0x0000000008A50000-0x0000000008AAE000-memory.dmp

Filesize
376KB

Download
memory/3800-115-0x0000000000700000-0x000000000076A000-memory.dmp

Filesize
424KB

Download
memory/3800-117-0x00000000055A0000-0x0000000005A9E000-memory.dmp

Filesize
5.0MB

Download
memory/3800-116-0x0000000000700000-0x000000000076A000-memory.dmp

Filesize
424KB

Download
memory/3800-123-0x00000000088B0000-0x000000000894C000-memory.dmp

Filesize
624KB

Download
memory/3800-122-0x00000000050A0000-0x000000000559E000-memory.dmp

Filesize
5.0MB

Download
memory/3800-121-0x0000000008540000-0x000000000858B000-memory.dmp

Filesize
300KB

Download
memory/3800-120-0x00000000053C0000-0x00000000053CE000-memory.dmp

Filesize
56KB

Download
memory/3800-119-0x0000000004FA0000-0x0000000004FAA000-memory.dmp

Filesize
40KB

Download
memory/3800-118-0x0000000004FC0000-0x0000000005052000-memory.dmp

Filesize
584KB

Download

description	pid	process	target process
PID 3800 wrote to memory of 372	3800	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe	powershell.exe
PID 3800 wrote to memory of 372	3800	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe	powershell.exe
PID 3800 wrote to memory of 372	3800	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe	powershell.exe
PID 3800 wrote to memory of 2836	3800	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe	schtasks.exe
PID 3800 wrote to memory of 2836	3800	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe	schtasks.exe
PID 3800 wrote to memory of 2836	3800	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe	schtasks.exe
PID 3800 wrote to memory of 380	3800	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe
PID 3800 wrote to memory of 380	3800	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe
PID 3800 wrote to memory of 380	3800	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe
PID 3800 wrote to memory of 420	3800	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe
PID 3800 wrote to memory of 420	3800	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe
PID 3800 wrote to memory of 420	3800	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe
PID 3800 wrote to memory of 420	3800	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe
PID 3800 wrote to memory of 420	3800	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe
PID 3800 wrote to memory of 420	3800	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe	a2350a5de6de03952d1a75a6135bc92690500e13854d481338bb07aa011bfcd5.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads