xloader | 3866d4f2f3fa6a3cdedd0b3e4704b438881b0a147e75eeddacaeea85e52c669a

Analysis

max time kernel
23s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20-01-2022 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scan doc_o1022111234.exe
Size

285KB
MD5

69ee93123716e7d21e0e527be980c22b
SHA1

bb4b074dda0d143d36a6c4c572bd669be67fe0e5
SHA256

3866d4f2f3fa6a3cdedd0b3e4704b438881b0a147e75eeddacaeea85e52c669a
SHA512

36925cddedff3acb9a217ce35e8d676a46d76f5873471daf9e9cf512f2df5934fe263532b0ba789573fdc887eb211eee6cbe0988b8e22306d16ff211509c1edc

Score

10^/10

xloader cxep loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cxep

Decoy

estateglobal.info

loransstore.com

loginofy.com

fjallravenz.online

cefseguranca-app.com

safontadiestramiento.com

bubbleteapro.com

morethanmummies.com

serviciopersonalizadoweb.com

headerbidder.info

skworkforce.com

heightsorthodontics.com

chulavistapd.com

southjerseyautobody.net

chargedbygratitude.com

meltingpotspot.com

gdjiachen.com

luckdrawprogram.com

vintagepaseo.com

bequestslojyh.xyz

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1316-131-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

scan doc_o1022111234.exe

pid process

3996 scan doc_o1022111234.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

scan doc_o1022111234.exe

description pid process target process

PID 3996 set thread context of 1316 3996 scan doc_o1022111234.exe scan doc_o1022111234.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3996	scan doc_o1022111234.exe

description	pid	process	target process
PID 3996 set thread context of 1316	3996	scan doc_o1022111234.exe	scan doc_o1022111234.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

scan doc_o1022111234.exe

description	pid	process	target process
PID 3996 wrote to memory of 1316	3996	scan doc_o1022111234.exe	scan doc_o1022111234.exe
PID 3996 wrote to memory of 1316	3996	scan doc_o1022111234.exe	scan doc_o1022111234.exe
PID 3996 wrote to memory of 1316	3996	scan doc_o1022111234.exe	scan doc_o1022111234.exe
PID 3996 wrote to memory of 1316	3996	scan doc_o1022111234.exe	scan doc_o1022111234.exe
PID 3996 wrote to memory of 1316	3996	scan doc_o1022111234.exe	scan doc_o1022111234.exe
PID 3996 wrote to memory of 1316	3996	scan doc_o1022111234.exe	scan doc_o1022111234.exe

C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe
"C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3996

C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe
"C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe"
2⤵
PID:1316

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsxD0CC.tmp\uyhlelrjb.dll
MD5
3b2bf8df341ac6f0edfe50a1ae7ff555

SHA1
e9bdd7cbf9426b710c9ea60c36ee0b2183ebb602

SHA256
eace00923a15331adc6214d609b21328047a13ffdd4e14cc5e2e142241c156ad

SHA512
a127e8a748d8fa78b54e3cfbae47d147d93586f566b3d1a8a6cbc6e06df5f6ffdcc6abd61c4bf96d69b332f0646b90935fa2231d7be3cbfdd68975d387c9a6f1

Download Submit
memory/1316-131-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download