xloader | ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3

General

Target

ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe
Size

810KB
MD5

dc06649db7eafdb332b7d8f2adb2ebdd
SHA1

a1179b64bcc678631108c8b16ec297838e8499fb
SHA256

ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3
SHA512

7d1da393a50faf546cbc023183618254e82362bdaf88e88b21793b4c5279642f1418e1dfa0c4949c654aea38f2e8a91f6b6acc1b07dc0be7fcc25b939679ae50

Score

10^/10

xloader nt3f loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/708-127-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe

description	pid	process	target process
PID 2708 set thread context of 708	2708	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1776 schtasks.exe

pid	process
1776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exeae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe

pid	process
496	powershell.exe
708	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe
708	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe
496	powershell.exe
496	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 496 powershell.exe

description	pid	process
Token: SeDebugPrivilege	496	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe

description	pid	process	target process
PID 2708 wrote to memory of 496	2708	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe	powershell.exe
PID 2708 wrote to memory of 496	2708	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe	powershell.exe
PID 2708 wrote to memory of 496	2708	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe	powershell.exe
PID 2708 wrote to memory of 1776	2708	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe	schtasks.exe
PID 2708 wrote to memory of 1776	2708	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe	schtasks.exe
PID 2708 wrote to memory of 1776	2708	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe	schtasks.exe
PID 2708 wrote to memory of 708	2708	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe
PID 2708 wrote to memory of 708	2708	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe
PID 2708 wrote to memory of 708	2708	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe
PID 2708 wrote to memory of 708	2708	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe
PID 2708 wrote to memory of 708	2708	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe
PID 2708 wrote to memory of 708	2708	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe	ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe

C:\Users\Admin\AppData\Local\Temp\ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe
"C:\Users\Admin\AppData\Local\Temp\ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FdsdzRAs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:496

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FdsdzRAs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8BC1.tmp"
2⤵
- Creates scheduled task(s)
PID:1776

C:\Users\Admin\AppData\Local\Temp\ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe
"C:\Users\Admin\AppData\Local\Temp\ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:708

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8BC1.tmp
MD5
6f952e4a11eaf3b93eff0f2e155b62e5

SHA1
3b7c68f662d4d789befd4257a662f544f3250c13

SHA256
17825d3c5ea76280b288aab5646693af777ec1b53c2121be58c961ed99d09927

SHA512
31a95f1941a47cb37cf1b56cbf2907c5b6f4f1284872c36c3007a9121a71f9af33f8709c53230c755f34a530fc44b0e7c6fd5f9ec5a80f936e519a2464e2f4f6

Download Submit
memory/496-138-0x0000000007C40000-0x0000000007CB6000-memory.dmp

Filesize
472KB

Download
memory/496-148-0x0000000008A90000-0x0000000008AAE000-memory.dmp

Filesize
120KB

Download
memory/496-132-0x0000000006C60000-0x0000000006CC6000-memory.dmp

Filesize
408KB

Download
memory/496-354-0x0000000008DA0000-0x0000000008DA8000-memory.dmp

Filesize
32KB

Download
memory/496-133-0x0000000006EB0000-0x0000000006F16000-memory.dmp

Filesize
408KB

Download
memory/496-349-0x0000000008DB0000-0x0000000008DCA000-memory.dmp

Filesize
104KB

Download
memory/496-156-0x0000000009020000-0x00000000090B4000-memory.dmp

Filesize
592KB

Download
memory/496-155-0x0000000000F53000-0x0000000000F54000-memory.dmp

Filesize
4KB

Download
memory/496-126-0x0000000000EC0000-0x0000000000EF6000-memory.dmp

Filesize
216KB

Download
memory/496-154-0x000000007E940000-0x000000007E941000-memory.dmp

Filesize
4KB

Download
memory/496-128-0x0000000007160000-0x0000000007788000-memory.dmp

Filesize
6.2MB

Download
memory/496-153-0x0000000008ED0000-0x0000000008F75000-memory.dmp

Filesize
660KB

Download
memory/496-130-0x0000000000F52000-0x0000000000F53000-memory.dmp

Filesize
4KB

Download
memory/496-131-0x0000000001300000-0x0000000001322000-memory.dmp

Filesize
136KB

Download
memory/496-147-0x0000000008AB0000-0x0000000008AE3000-memory.dmp

Filesize
204KB

Download
memory/496-137-0x0000000007E30000-0x0000000007E7B000-memory.dmp

Filesize
300KB

Download
memory/496-129-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/496-135-0x0000000007790000-0x0000000007AE0000-memory.dmp

Filesize
3.3MB

Download
memory/496-136-0x0000000006CF0000-0x0000000006D0C000-memory.dmp

Filesize
112KB

Download
memory/708-134-0x0000000001A40000-0x0000000001D60000-memory.dmp

Filesize
3.1MB

Download
memory/708-127-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2708-120-0x0000000005A30000-0x0000000005A3C000-memory.dmp

Filesize
48KB

Download
memory/2708-115-0x0000000000ED0000-0x0000000000FA2000-memory.dmp

Filesize
840KB

Download
memory/2708-118-0x0000000005890000-0x0000000005D8E000-memory.dmp

Filesize
5.0MB

Download
memory/2708-117-0x0000000005890000-0x0000000005922000-memory.dmp

Filesize
584KB

Download
memory/2708-116-0x0000000005D90000-0x000000000628E000-memory.dmp

Filesize
5.0MB

Download
memory/2708-122-0x00000000081C0000-0x0000000008222000-memory.dmp

Filesize
392KB

Download
memory/2708-121-0x0000000008120000-0x00000000081BC000-memory.dmp

Filesize
624KB

Download
memory/2708-119-0x0000000005960000-0x000000000596A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads