xloader | 947a0f977737ff7dfa8ae17eb2eff4b0ec4b51479c76f12f60d0b8c40ca9d323

General

Target

INV88272727271_REQUIREMENT_02727272272.exe
Size

245KB
MD5

1a97ab72ef6c22d9508ad78db60ca205
SHA1

05122e7544d6eaa53aaf36cc34aff27a17a192d7
SHA256

947a0f977737ff7dfa8ae17eb2eff4b0ec4b51479c76f12f60d0b8c40ca9d323
SHA512

cb541ef914b7c998913dfe0359a1b42345fc5705f174399c8153cab4e2a6c542d6881ef00d83505c6fbc3b38c1eddf033bc90ca67dcc3050f8d3264caa34ed36

Score

10^/10

xloader rmfg loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

rmfg

Decoy

prospectcompounding.com

grand-prix.voyage

solvingpklogc.xyz

eliamhome.com

gamevip88.club

arsels.info

dswlt.com

dchehe.com

lawyerjerusalem.com

pbnseo.xyz

apuryifuid.com

kiukiupoker88.net

leannonimpact.com

kare-furniture.com

mississaugaremax.online

zpyh198.com

dueplay.store

naimi.ltd

greenstepspodiatry.com

cewirtanen.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/776-56-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

INV88272727271_REQUIREMENT_02727272272.exe

pid process

1460 INV88272727271_REQUIREMENT_02727272272.exe

pid	process
1460	INV88272727271_REQUIREMENT_02727272272.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

INV88272727271_REQUIREMENT_02727272272.exe

description	pid	process	target process
PID 1460 set thread context of 776	1460	INV88272727271_REQUIREMENT_02727272272.exe	INV88272727271_REQUIREMENT_02727272272.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

INV88272727271_REQUIREMENT_02727272272.exe

pid process

776 INV88272727271_REQUIREMENT_02727272272.exe

pid	process
776	INV88272727271_REQUIREMENT_02727272272.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

INV88272727271_REQUIREMENT_02727272272.exe

description	pid	process	target process
PID 1460 wrote to memory of 776	1460	INV88272727271_REQUIREMENT_02727272272.exe	INV88272727271_REQUIREMENT_02727272272.exe
PID 1460 wrote to memory of 776	1460	INV88272727271_REQUIREMENT_02727272272.exe	INV88272727271_REQUIREMENT_02727272272.exe
PID 1460 wrote to memory of 776	1460	INV88272727271_REQUIREMENT_02727272272.exe	INV88272727271_REQUIREMENT_02727272272.exe
PID 1460 wrote to memory of 776	1460	INV88272727271_REQUIREMENT_02727272272.exe	INV88272727271_REQUIREMENT_02727272272.exe
PID 1460 wrote to memory of 776	1460	INV88272727271_REQUIREMENT_02727272272.exe	INV88272727271_REQUIREMENT_02727272272.exe
PID 1460 wrote to memory of 776	1460	INV88272727271_REQUIREMENT_02727272272.exe	INV88272727271_REQUIREMENT_02727272272.exe
PID 1460 wrote to memory of 776	1460	INV88272727271_REQUIREMENT_02727272272.exe	INV88272727271_REQUIREMENT_02727272272.exe

C:\Users\Admin\AppData\Local\Temp\INV88272727271_REQUIREMENT_02727272272.exe
"C:\Users\Admin\AppData\Local\Temp\INV88272727271_REQUIREMENT_02727272272.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\INV88272727271_REQUIREMENT_02727272272.exe
  "C:\Users\Admin\AppData\Local\Temp\INV88272727271_REQUIREMENT_02727272272.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsyF5C6.tmp\xjzq.dll

MD5
2a17c8c8f13a3cde9c7f0da98d7f2c71

SHA1
cfb4dc9a82c18285fba188b2556327a7415cd2b5

SHA256
811ec72790978744eb3367756a5be669217e6cd8acad47fac733a8c6d094db20

SHA512
1499bbd6e947c3cdefd164944a8adedee58321d65e1766a534904e27fb3f5e9245d4e75f0d6915c7c726b3fc28d60220f991f6af19aae2294cc164d542987f96

Download Submit
memory/776-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/776-57-0x0000000000730000-0x0000000000A33000-memory.dmp

Filesize
3.0MB

Download
memory/1460-54-0x0000000075431000-0x0000000075433000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads