xloader | ffebbdfbf43481f261924e72b9c3acb4b503d41549ab926015159af4d1f7f1fc

General

Target

ae534f8ee5cc7d3d9345d4b97db45f8a.exe
Size

249KB
MD5

ae534f8ee5cc7d3d9345d4b97db45f8a
SHA1

93f37d06fc07fd90323eb3cd1eb316ed8fc3292e
SHA256

ffebbdfbf43481f261924e72b9c3acb4b503d41549ab926015159af4d1f7f1fc
SHA512

446267307baf55a6ae8dc3aca47f5b18171d4612ef237c5241258f8d74805344e376e81396c73c157d19e9642ea5feae9199740ddb8bf23770663d51b940a54f

Score

10^/10

xloader ndf8 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ndf8

Decoy

cantobait.com

theangularteam.com

qq2222.xyz

floridasteamclean.com

daffodilhilldesigns.com

mindfulagilecoaching.com

xbyll.com

jessicaepedro2021.net

ccssv.top

zenginbilgiler.com

partumball.com

1681890.com

schippermediaproductions.com

m2volleyballclub.com

ooiase.com

sharingtechnology.net

kiminplaka.com

usedgeartrader.com

cosyba.com

foodfriendshipandyou.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/672-56-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

ae534f8ee5cc7d3d9345d4b97db45f8a.exe

pid process

1176 ae534f8ee5cc7d3d9345d4b97db45f8a.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ae534f8ee5cc7d3d9345d4b97db45f8a.exe

description pid process target process

PID 1176 set thread context of 672 1176 ae534f8ee5cc7d3d9345d4b97db45f8a.exe ae534f8ee5cc7d3d9345d4b97db45f8a.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ae534f8ee5cc7d3d9345d4b97db45f8a.exe

pid process

672 ae534f8ee5cc7d3d9345d4b97db45f8a.exe

pid	process
1176	ae534f8ee5cc7d3d9345d4b97db45f8a.exe

description	pid	process	target process
PID 1176 set thread context of 672	1176	ae534f8ee5cc7d3d9345d4b97db45f8a.exe	ae534f8ee5cc7d3d9345d4b97db45f8a.exe

pid	process
672	ae534f8ee5cc7d3d9345d4b97db45f8a.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

ae534f8ee5cc7d3d9345d4b97db45f8a.exe

description	pid	process	target process
PID 1176 wrote to memory of 672	1176	ae534f8ee5cc7d3d9345d4b97db45f8a.exe	ae534f8ee5cc7d3d9345d4b97db45f8a.exe
PID 1176 wrote to memory of 672	1176	ae534f8ee5cc7d3d9345d4b97db45f8a.exe	ae534f8ee5cc7d3d9345d4b97db45f8a.exe
PID 1176 wrote to memory of 672	1176	ae534f8ee5cc7d3d9345d4b97db45f8a.exe	ae534f8ee5cc7d3d9345d4b97db45f8a.exe
PID 1176 wrote to memory of 672	1176	ae534f8ee5cc7d3d9345d4b97db45f8a.exe	ae534f8ee5cc7d3d9345d4b97db45f8a.exe
PID 1176 wrote to memory of 672	1176	ae534f8ee5cc7d3d9345d4b97db45f8a.exe	ae534f8ee5cc7d3d9345d4b97db45f8a.exe
PID 1176 wrote to memory of 672	1176	ae534f8ee5cc7d3d9345d4b97db45f8a.exe	ae534f8ee5cc7d3d9345d4b97db45f8a.exe
PID 1176 wrote to memory of 672	1176	ae534f8ee5cc7d3d9345d4b97db45f8a.exe	ae534f8ee5cc7d3d9345d4b97db45f8a.exe

C:\Users\Admin\AppData\Local\Temp\ae534f8ee5cc7d3d9345d4b97db45f8a.exe
"C:\Users\Admin\AppData\Local\Temp\ae534f8ee5cc7d3d9345d4b97db45f8a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Local\Temp\ae534f8ee5cc7d3d9345d4b97db45f8a.exe
"C:\Users\Admin\AppData\Local\Temp\ae534f8ee5cc7d3d9345d4b97db45f8a.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:672

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nstFF67.tmp\yzsziz.dll
MD5
3f0c5309d04570d57b42d280d467bc97

SHA1
97c6bf5d31fe594a7e8222e100ac6a65a67dd2b7

SHA256
e26db32ce437b6736858261d510403b3029117d5e5c3c497cc5b6a2d5c496640

SHA512
4d755d2449f7e09ce8c7589f9cef4b7bfc59698b78ed1c895dd6175179eb07cf96adf0d9bc24354ceedb31f3cabf8baf70111eb1b37ad06aeff35c2f08fa0d81

Download Submit
memory/672-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/672-57-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/1176-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing