xloader | ee5dd80f9946c3b8221409e1aed242cd36a8188850718f89722b48404906275e

General

Target

0becd341e0585b0c5a278e62a9727a9a.exe
Size

845KB
MD5

0becd341e0585b0c5a278e62a9727a9a
SHA1

71b8b08ab44bb93a2bacb3948a8dee5273f78488
SHA256

ee5dd80f9946c3b8221409e1aed242cd36a8188850718f89722b48404906275e
SHA512

9edfca50d1ebe082bd13ba32de078bca96a06c8bf18b56471f12adfd3a05830eb821f5ce26404d1e2bea48b3dda3b74b06ae3f4922de2c1842f17329173a1cb9

Score

10^/10

xloader nt3f loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3200-130-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

0becd341e0585b0c5a278e62a9727a9a.exe

description pid process target process

PID 3804 set thread context of 3200 3804 0becd341e0585b0c5a278e62a9727a9a.exe 0becd341e0585b0c5a278e62a9727a9a.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1924 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

0becd341e0585b0c5a278e62a9727a9a.exepowershell.exe

pid process

3200 0becd341e0585b0c5a278e62a9727a9a.exe
3200 0becd341e0585b0c5a278e62a9727a9a.exe
3008 powershell.exe
3008 powershell.exe
3008 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3008 powershell.exe

description	pid	process	target process
PID 3804 set thread context of 3200	3804	0becd341e0585b0c5a278e62a9727a9a.exe	0becd341e0585b0c5a278e62a9727a9a.exe

pid	process
1924	schtasks.exe

pid	process
3200	0becd341e0585b0c5a278e62a9727a9a.exe
3200	0becd341e0585b0c5a278e62a9727a9a.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3008	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0becd341e0585b0c5a278e62a9727a9a.exe

description	pid	process	target process
PID 3804 wrote to memory of 3008	3804	0becd341e0585b0c5a278e62a9727a9a.exe	powershell.exe
PID 3804 wrote to memory of 3008	3804	0becd341e0585b0c5a278e62a9727a9a.exe	powershell.exe
PID 3804 wrote to memory of 3008	3804	0becd341e0585b0c5a278e62a9727a9a.exe	powershell.exe
PID 3804 wrote to memory of 1924	3804	0becd341e0585b0c5a278e62a9727a9a.exe	schtasks.exe
PID 3804 wrote to memory of 1924	3804	0becd341e0585b0c5a278e62a9727a9a.exe	schtasks.exe
PID 3804 wrote to memory of 1924	3804	0becd341e0585b0c5a278e62a9727a9a.exe	schtasks.exe
PID 3804 wrote to memory of 3200	3804	0becd341e0585b0c5a278e62a9727a9a.exe	0becd341e0585b0c5a278e62a9727a9a.exe
PID 3804 wrote to memory of 3200	3804	0becd341e0585b0c5a278e62a9727a9a.exe	0becd341e0585b0c5a278e62a9727a9a.exe
PID 3804 wrote to memory of 3200	3804	0becd341e0585b0c5a278e62a9727a9a.exe	0becd341e0585b0c5a278e62a9727a9a.exe
PID 3804 wrote to memory of 3200	3804	0becd341e0585b0c5a278e62a9727a9a.exe	0becd341e0585b0c5a278e62a9727a9a.exe
PID 3804 wrote to memory of 3200	3804	0becd341e0585b0c5a278e62a9727a9a.exe	0becd341e0585b0c5a278e62a9727a9a.exe
PID 3804 wrote to memory of 3200	3804	0becd341e0585b0c5a278e62a9727a9a.exe	0becd341e0585b0c5a278e62a9727a9a.exe

C:\Users\Admin\AppData\Local\Temp\0becd341e0585b0c5a278e62a9727a9a.exe
"C:\Users\Admin\AppData\Local\Temp\0becd341e0585b0c5a278e62a9727a9a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\szzAArbkCRJS.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\szzAArbkCRJS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2041.tmp"
2⤵
- Creates scheduled task(s)
PID:1924

C:\Users\Admin\AppData\Local\Temp\0becd341e0585b0c5a278e62a9727a9a.exe
"C:\Users\Admin\AppData\Local\Temp\0becd341e0585b0c5a278e62a9727a9a.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3200

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2041.tmp
MD5
62fc44338e301207cb2400ed53567770

SHA1
5ee2e45f3e25c2042dd4baeb5d456f6977974046

SHA256
01199565668bb82644b44784b31cb42f82d60ddd3f8efff894eb9cd97e4b3650

SHA512
7eef6597f26efec88a79f03bb50d966b13f74070d16228a378d797ea901043def6ebfec65e2a93d714fd965910c48de501af1cf730863653ce571c29ecc6f1b5

Download Submit
memory/3008-138-0x0000000008150000-0x000000000819B000-memory.dmp

Filesize
300KB

Download
memory/3008-148-0x00000000097D0000-0x0000000009803000-memory.dmp

Filesize
204KB

Download
memory/3008-133-0x0000000007EB0000-0x0000000007ED2000-memory.dmp

Filesize
136KB

Download
memory/3008-350-0x0000000009650000-0x000000000966A000-memory.dmp

Filesize
104KB

Download
memory/3008-157-0x0000000009CE0000-0x0000000009D74000-memory.dmp

Filesize
592KB

Download
memory/3008-156-0x0000000007213000-0x0000000007214000-memory.dmp

Filesize
4KB

Download
memory/3008-155-0x0000000009970000-0x0000000009A15000-memory.dmp

Filesize
660KB

Download
memory/3008-154-0x000000007E8F0000-0x000000007E8F1000-memory.dmp

Filesize
4KB

Download
memory/3008-126-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/3008-149-0x00000000097B0000-0x00000000097CE000-memory.dmp

Filesize
120KB

Download
memory/3008-128-0x0000000004D70000-0x0000000004DA6000-memory.dmp

Filesize
216KB

Download
memory/3008-129-0x0000000007212000-0x0000000007213000-memory.dmp

Filesize
4KB

Download
memory/3008-139-0x00000000088E0000-0x0000000008956000-memory.dmp

Filesize
472KB

Download
memory/3008-131-0x0000000007850000-0x0000000007E78000-memory.dmp

Filesize
6.2MB

Download
memory/3008-355-0x0000000009640000-0x0000000009648000-memory.dmp

Filesize
32KB

Download
memory/3008-137-0x0000000008130000-0x000000000814C000-memory.dmp

Filesize
112KB

Download
memory/3008-134-0x0000000007F50000-0x0000000007FB6000-memory.dmp

Filesize
408KB

Download
memory/3008-135-0x00000000080C0000-0x0000000008126000-memory.dmp

Filesize
408KB

Download
memory/3008-136-0x00000000081F0000-0x0000000008540000-memory.dmp

Filesize
3.3MB

Download
memory/3200-130-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3200-132-0x00000000018E0000-0x0000000001C00000-memory.dmp

Filesize
3.1MB

Download
memory/3804-118-0x00000000054E0000-0x0000000005572000-memory.dmp

Filesize
584KB

Download
memory/3804-115-0x0000000000B30000-0x0000000000C0A000-memory.dmp

Filesize
872KB

Download
memory/3804-117-0x0000000005580000-0x0000000005612000-memory.dmp

Filesize
584KB

Download
memory/3804-116-0x0000000005B70000-0x000000000606E000-memory.dmp

Filesize
5.0MB

Download
memory/3804-123-0x0000000006510000-0x00000000065BA000-memory.dmp

Filesize
680KB

Download
memory/3804-122-0x000000007F6E0000-0x000000007F6E1000-memory.dmp

Filesize
4KB

Download
memory/3804-121-0x0000000006130000-0x000000000613E000-memory.dmp

Filesize
56KB

Download
memory/3804-120-0x0000000005840000-0x00000000058DC000-memory.dmp

Filesize
624KB

Download
memory/3804-119-0x0000000005620000-0x000000000562A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads