xloader | ee5dd80f9946c3b8221409e1aed242cd36a8188850718f89722b48404906275e

General

Target

0becd341e0585b0c5a278e62a9727a9a.exe
Size

845KB
MD5

0becd341e0585b0c5a278e62a9727a9a
SHA1

71b8b08ab44bb93a2bacb3948a8dee5273f78488
SHA256

ee5dd80f9946c3b8221409e1aed242cd36a8188850718f89722b48404906275e
SHA512

9edfca50d1ebe082bd13ba32de078bca96a06c8bf18b56471f12adfd3a05830eb821f5ce26404d1e2bea48b3dda3b74b06ae3f4922de2c1842f17329173a1cb9

Score

10^/10

xloader nt3f loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1472-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

0becd341e0585b0c5a278e62a9727a9a.exe

description pid process target process

PID 764 set thread context of 1472 764 0becd341e0585b0c5a278e62a9727a9a.exe 0becd341e0585b0c5a278e62a9727a9a.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1388 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0becd341e0585b0c5a278e62a9727a9a.exepowershell.exe

pid process

1472 0becd341e0585b0c5a278e62a9727a9a.exe
1272 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1272 powershell.exe

description	pid	process	target process
PID 764 set thread context of 1472	764	0becd341e0585b0c5a278e62a9727a9a.exe	0becd341e0585b0c5a278e62a9727a9a.exe

pid	process
1388	schtasks.exe

pid	process
1472	0becd341e0585b0c5a278e62a9727a9a.exe
1272	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1272	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

0becd341e0585b0c5a278e62a9727a9a.exe

description	pid	process	target process
PID 764 wrote to memory of 1272	764	0becd341e0585b0c5a278e62a9727a9a.exe	powershell.exe
PID 764 wrote to memory of 1272	764	0becd341e0585b0c5a278e62a9727a9a.exe	powershell.exe
PID 764 wrote to memory of 1272	764	0becd341e0585b0c5a278e62a9727a9a.exe	powershell.exe
PID 764 wrote to memory of 1272	764	0becd341e0585b0c5a278e62a9727a9a.exe	powershell.exe
PID 764 wrote to memory of 1388	764	0becd341e0585b0c5a278e62a9727a9a.exe	schtasks.exe
PID 764 wrote to memory of 1388	764	0becd341e0585b0c5a278e62a9727a9a.exe	schtasks.exe
PID 764 wrote to memory of 1388	764	0becd341e0585b0c5a278e62a9727a9a.exe	schtasks.exe
PID 764 wrote to memory of 1388	764	0becd341e0585b0c5a278e62a9727a9a.exe	schtasks.exe
PID 764 wrote to memory of 1472	764	0becd341e0585b0c5a278e62a9727a9a.exe	0becd341e0585b0c5a278e62a9727a9a.exe
PID 764 wrote to memory of 1472	764	0becd341e0585b0c5a278e62a9727a9a.exe	0becd341e0585b0c5a278e62a9727a9a.exe
PID 764 wrote to memory of 1472	764	0becd341e0585b0c5a278e62a9727a9a.exe	0becd341e0585b0c5a278e62a9727a9a.exe
PID 764 wrote to memory of 1472	764	0becd341e0585b0c5a278e62a9727a9a.exe	0becd341e0585b0c5a278e62a9727a9a.exe
PID 764 wrote to memory of 1472	764	0becd341e0585b0c5a278e62a9727a9a.exe	0becd341e0585b0c5a278e62a9727a9a.exe
PID 764 wrote to memory of 1472	764	0becd341e0585b0c5a278e62a9727a9a.exe	0becd341e0585b0c5a278e62a9727a9a.exe
PID 764 wrote to memory of 1472	764	0becd341e0585b0c5a278e62a9727a9a.exe	0becd341e0585b0c5a278e62a9727a9a.exe

C:\Users\Admin\AppData\Local\Temp\0becd341e0585b0c5a278e62a9727a9a.exe
"C:\Users\Admin\AppData\Local\Temp\0becd341e0585b0c5a278e62a9727a9a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\szzAArbkCRJS.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\szzAArbkCRJS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB348.tmp"
2⤵
- Creates scheduled task(s)
PID:1388

C:\Users\Admin\AppData\Local\Temp\0becd341e0585b0c5a278e62a9727a9a.exe
"C:\Users\Admin\AppData\Local\Temp\0becd341e0585b0c5a278e62a9727a9a.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1472

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB348.tmp
MD5
9a8a6c206e28beeb0dbf5619e1966729

SHA1
0c39ee7ae394fac37cfc287a163ee2be4e53b820

SHA256
0e58ed3a4b60c772eab5b12daa73e5aa5fb88d24ab2697ef5750d246e97ddacc

SHA512
397ac407e5e2bd0bdae3bd6a073a9daadfdc7828f98a1fa6c4de3e3a82ebe70779869bbbff5e16369f547a8852170b61049d11943f27c1a23fadc3c41f08868a

Download Submit
memory/764-56-0x0000000001FF0000-0x0000000001FFE000-memory.dmp

Filesize
56KB

Download
memory/764-55-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/764-53-0x0000000000260000-0x000000000033A000-memory.dmp

Filesize
872KB

Download
memory/764-57-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/764-58-0x00000000055E0000-0x000000000568A000-memory.dmp

Filesize
680KB

Download
memory/764-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1272-64-0x0000000002450000-0x000000000309A000-memory.dmp

Filesize
12.3MB

Download
memory/1272-66-0x0000000002450000-0x000000000309A000-memory.dmp

Filesize
12.3MB

Download
memory/1272-67-0x0000000002450000-0x000000000309A000-memory.dmp

Filesize
12.3MB

Download
memory/1472-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1472-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1472-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1472-65-0x0000000000870000-0x0000000000B73000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads