xloader | 44b17de7c324ff60a195215bf1a73eb41febf731f86699848e68815db5978387

Analysis

max time kernel
11s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20-01-2022 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order-410692-pdf.pif.exe
Size

283KB
MD5

206826730fc880f75d51f38c2cd94561
SHA1

7d67331de09a33ffcdc8f3b174bedf049f79d2b9
SHA256

44b17de7c324ff60a195215bf1a73eb41febf731f86699848e68815db5978387
SHA512

f4878c0a31e0f7bdfce83f859a70c0b8fed605bfcab5a3e28b97824097989407ad08a30ca1fe8054211bfd7e34ee538160ffaad7b9bd0ffb4c94eba9515210fe

Score

10^/10

xloader uar3 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uar3

Decoy

sgadvocats.com

mjscannabus.com

hilldaley.com

ksdollhouse.com

hotgiftboutique.com

purebloodsmeet.com

relaunched.info

cap-glove.com

productcollection.store

fulikyy.xyz

remoteaviationjobs.com

bestcleancrystal.com

virtualorganizationpartner.com

bookgocar.com

hattuafhv.quest

makonigroup.com

officecom-myaccount.com

malgorzata-lac.com

e-learningeducators.com

hygilaur.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1968-131-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

Order-410692-pdf.pif.exe

pid process

1408 Order-410692-pdf.pif.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Order-410692-pdf.pif.exe

description pid process target process

PID 1408 set thread context of 1968 1408 Order-410692-pdf.pif.exe Order-410692-pdf.pif.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1408	Order-410692-pdf.pif.exe

description	pid	process	target process
PID 1408 set thread context of 1968	1408	Order-410692-pdf.pif.exe	Order-410692-pdf.pif.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Order-410692-pdf.pif.exe

description	pid	process	target process
PID 1408 wrote to memory of 1968	1408	Order-410692-pdf.pif.exe	Order-410692-pdf.pif.exe
PID 1408 wrote to memory of 1968	1408	Order-410692-pdf.pif.exe	Order-410692-pdf.pif.exe
PID 1408 wrote to memory of 1968	1408	Order-410692-pdf.pif.exe	Order-410692-pdf.pif.exe
PID 1408 wrote to memory of 1968	1408	Order-410692-pdf.pif.exe	Order-410692-pdf.pif.exe
PID 1408 wrote to memory of 1968	1408	Order-410692-pdf.pif.exe	Order-410692-pdf.pif.exe
PID 1408 wrote to memory of 1968	1408	Order-410692-pdf.pif.exe	Order-410692-pdf.pif.exe

C:\Users\Admin\AppData\Local\Temp\Order-410692-pdf.pif.exe
"C:\Users\Admin\AppData\Local\Temp\Order-410692-pdf.pif.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\Order-410692-pdf.pif.exe
"C:\Users\Admin\AppData\Local\Temp\Order-410692-pdf.pif.exe"
2⤵
PID:1968

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso6282.tmp\vrgsug.dll
MD5
7154ab5f13d8daf833ce0d0a2e7f56dd

SHA1
48109dbd99e1af21c61f3bc61eb9bc5ac4539b66

SHA256
5a963e13de5bf55c526f7a07d3c6efaa4a3a196bf3d3f03d54d41eac76cc0019

SHA512
876dac6caefd448613c635c33af6c0a8516f6586ed0fe4a2426129720eafb7d7fd917ac91f33b1238042422d99e37639f88a6c5343ce51c8280962187c2a00df

Download Submit
memory/1968-131-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download