xloader | f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce

General

Target

6a4fc759c24fad7472caae24be49eab9.exe
Size

250KB
MD5

6a4fc759c24fad7472caae24be49eab9
SHA1

698a5efcbcafe01ba8214eb6255803f193981716
SHA256

f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce
SHA512

9013add08fda34a917e9ecdb389361a1e390fc48515b9d76558cb3160add9e3873995f17546616c375d091aa63b7f8e691045918938639471fadae977425ccda

Score

10^/10

xloader p2a5 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

p2a5

Decoy

gorillaslovebananas.com

zonaextasis.com

digitalpravin.online

memorialdoors.com

departmenteindhoven.com

vipulb.com

ruyibao365.com

ynpzz.com

matthewandjessica.com

winfrey2024.com

janetride.com

arairazur.xyz

alltheheads.com

amayawebdesigns.com

califunder.com

blacksource.xyz

farmasi.agency

ilmkibahar.com

thinkcentury.net

eskortclub.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/668-56-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

6a4fc759c24fad7472caae24be49eab9.exe

pid process

1888 6a4fc759c24fad7472caae24be49eab9.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

6a4fc759c24fad7472caae24be49eab9.exe

description pid process target process

PID 1888 set thread context of 668 1888 6a4fc759c24fad7472caae24be49eab9.exe 6a4fc759c24fad7472caae24be49eab9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6a4fc759c24fad7472caae24be49eab9.exe

pid process

668 6a4fc759c24fad7472caae24be49eab9.exe

pid	process
1888	6a4fc759c24fad7472caae24be49eab9.exe

description	pid	process	target process
PID 1888 set thread context of 668	1888	6a4fc759c24fad7472caae24be49eab9.exe	6a4fc759c24fad7472caae24be49eab9.exe

pid	process
668	6a4fc759c24fad7472caae24be49eab9.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

6a4fc759c24fad7472caae24be49eab9.exe

description	pid	process	target process
PID 1888 wrote to memory of 668	1888	6a4fc759c24fad7472caae24be49eab9.exe	6a4fc759c24fad7472caae24be49eab9.exe
PID 1888 wrote to memory of 668	1888	6a4fc759c24fad7472caae24be49eab9.exe	6a4fc759c24fad7472caae24be49eab9.exe
PID 1888 wrote to memory of 668	1888	6a4fc759c24fad7472caae24be49eab9.exe	6a4fc759c24fad7472caae24be49eab9.exe
PID 1888 wrote to memory of 668	1888	6a4fc759c24fad7472caae24be49eab9.exe	6a4fc759c24fad7472caae24be49eab9.exe
PID 1888 wrote to memory of 668	1888	6a4fc759c24fad7472caae24be49eab9.exe	6a4fc759c24fad7472caae24be49eab9.exe
PID 1888 wrote to memory of 668	1888	6a4fc759c24fad7472caae24be49eab9.exe	6a4fc759c24fad7472caae24be49eab9.exe
PID 1888 wrote to memory of 668	1888	6a4fc759c24fad7472caae24be49eab9.exe	6a4fc759c24fad7472caae24be49eab9.exe

C:\Users\Admin\AppData\Local\Temp\6a4fc759c24fad7472caae24be49eab9.exe
"C:\Users\Admin\AppData\Local\Temp\6a4fc759c24fad7472caae24be49eab9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\6a4fc759c24fad7472caae24be49eab9.exe
"C:\Users\Admin\AppData\Local\Temp\6a4fc759c24fad7472caae24be49eab9.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:668

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsdC71.tmp\ikagqucw.dll
MD5
403fb1aa3c56887b803180dbebfd7833

SHA1
3e7e706b0df3fe0953e7671ecb082bc00f7d99ee

SHA256
0f4a87ceff52441a082768a4809d306f0906d8700e6ef7aab0146ad442d8c2e8

SHA512
3a9eca03abcfa488e1ee6edc1fa96a011b7c89fdd609ee5a3f8759fdc3deb56c737665a367ada5317d89016f106c4f6cfd2fa7a5943603056444297f21cba1ae

Download Submit
memory/668-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/668-57-0x00000000008C0000-0x0000000000BC3000-memory.dmp

Filesize
3.0MB

Download
memory/1888-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing