xloader | d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c

General

Target

d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe
Size

421KB
MD5

b04341cdd8fcb8aacd379147601df24b
SHA1

81c880a09e94267ee6c65c239d80d0b853828cd7
SHA256

d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c
SHA512

434c912533ea9c41971ff15325ead2d14b5171368640b8563f846387897944845f273451c2bb131a4baf0bde862c8dda487a346004a66d91ed1c4fd00b7ce438

Score

10^/10

xloader pnug loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pnug

Decoy

natureate.com

ita-pots.website

sucohansmushroom.com

produrielrosen.com

gosystemupdatenow.online

jiskra.art

janwiench.com

norfolkfoodhall.com

iloveaddictss.com

pogozip.com

buyinstapva.com

teardirectionfreedom.xyz

0205168.com

apaixonadosporpugs.online

jawscoinc.com

crafter.quest

wikipedianow.com

radiopuls.net

kendama-co.com

goodstudycanada.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3604-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/3604-117-0x000000000041D400-mapping.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe

pid process

3336 d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe

pid	process
3336	d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe

description	pid	process	target process
PID 3336 set thread context of 3604	3336	d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe	d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe

pid	process
3604	d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe
3604	d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe

description	pid	process	target process
PID 3336 wrote to memory of 3604	3336	d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe	d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe
PID 3336 wrote to memory of 3604	3336	d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe	d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe
PID 3336 wrote to memory of 3604	3336	d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe	d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe
PID 3336 wrote to memory of 3604	3336	d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe	d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe
PID 3336 wrote to memory of 3604	3336	d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe	d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe
PID 3336 wrote to memory of 3604	3336	d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe	d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe

C:\Users\Admin\AppData\Local\Temp\d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe
"C:\Users\Admin\AppData\Local\Temp\d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3336

C:\Users\Admin\AppData\Local\Temp\d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe
"C:\Users\Admin\AppData\Local\Temp\d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst99F1.tmp\iywtruju.dll
MD5
bbcef7b7d86c688d371e6c757c6f64a2

SHA1
42995c07af93819961b249c58d2d5a6821c19c36

SHA256
399706950a5002ab572857467a585342132dbbff7ea6b0d2a50f8f1b38291654

SHA512
dfe41bd756aa921d5ba2f2dd8483ef0475752c42443047883016ae3c24ba42413eb90aa494b7871fd7b098f022634b1ea09c3c57e0e9d86f1a12e8724efe861f

Download Submit
memory/3604-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3604-117-0x000000000041D400-mapping.dmp

Download
memory/3604-118-0x00000000009C0000-0x0000000000CE0000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads