xloader | 0377503f9ea4c7434be2f46af869900b9839be33121edcbdeeae9b8d8e0cdcce

General

Target

26663089f8c68e799360aedc5b1a0b30.exe
Size

480KB
MD5

26663089f8c68e799360aedc5b1a0b30
SHA1

ba7a6cbc65e8112e06bac1bd9f82eeeaa60df7bf
SHA256

0377503f9ea4c7434be2f46af869900b9839be33121edcbdeeae9b8d8e0cdcce
SHA512

3ba6184a8e92bc235066f7bb6f6234feb83109393961d0db76a303f3ed7d2517e2dc57f0b8e0969297aa1e7d4b83bf4a0f7c6d13cd95e74c857a56254a5e1e82

Score

10^/10

xloader nt3f loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3648-129-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

26663089f8c68e799360aedc5b1a0b30.exe

description pid process target process

PID 1196 set thread context of 3648 1196 26663089f8c68e799360aedc5b1a0b30.exe 26663089f8c68e799360aedc5b1a0b30.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2704 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe26663089f8c68e799360aedc5b1a0b30.exe

pid process

1288 powershell.exe
3648 26663089f8c68e799360aedc5b1a0b30.exe
3648 26663089f8c68e799360aedc5b1a0b30.exe
1288 powershell.exe
1288 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1288 powershell.exe

description	pid	process	target process
PID 1196 set thread context of 3648	1196	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe

pid	process
2704	schtasks.exe

pid	process
1288	powershell.exe
3648	26663089f8c68e799360aedc5b1a0b30.exe
3648	26663089f8c68e799360aedc5b1a0b30.exe
1288	powershell.exe
1288	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1288	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

26663089f8c68e799360aedc5b1a0b30.exe

description	pid	process	target process
PID 1196 wrote to memory of 1288	1196	26663089f8c68e799360aedc5b1a0b30.exe	powershell.exe
PID 1196 wrote to memory of 1288	1196	26663089f8c68e799360aedc5b1a0b30.exe	powershell.exe
PID 1196 wrote to memory of 1288	1196	26663089f8c68e799360aedc5b1a0b30.exe	powershell.exe
PID 1196 wrote to memory of 2704	1196	26663089f8c68e799360aedc5b1a0b30.exe	schtasks.exe
PID 1196 wrote to memory of 2704	1196	26663089f8c68e799360aedc5b1a0b30.exe	schtasks.exe
PID 1196 wrote to memory of 2704	1196	26663089f8c68e799360aedc5b1a0b30.exe	schtasks.exe
PID 1196 wrote to memory of 3648	1196	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1196 wrote to memory of 3648	1196	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1196 wrote to memory of 3648	1196	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1196 wrote to memory of 3648	1196	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1196 wrote to memory of 3648	1196	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1196 wrote to memory of 3648	1196	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe

C:\Users\Admin\AppData\Local\Temp\26663089f8c68e799360aedc5b1a0b30.exe
"C:\Users\Admin\AppData\Local\Temp\26663089f8c68e799360aedc5b1a0b30.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wuASGd.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wuASGd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD22C.tmp"
2⤵
- Creates scheduled task(s)
PID:2704

C:\Users\Admin\AppData\Local\Temp\26663089f8c68e799360aedc5b1a0b30.exe
"C:\Users\Admin\AppData\Local\Temp\26663089f8c68e799360aedc5b1a0b30.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD22C.tmp
MD5
bd283450196b8235e2a115085f469e11

SHA1
f4d10cf1ce3db9dd38acd5cd0f31c4126566cd34

SHA256
91f242ecef7a0a11b832b1db6e97f9e49267bcd6cfca7b2470eade82c0f1d9d4

SHA512
8e9bdee406500a2881bcd018c94c8bc55d4964dda5726efa7888506bc8bda33a8a9ba265a2f2aeb4cb7e0bead100ccec1580eac54bc8bf07c249359ef3108b0a

Download Submit
memory/1196-118-0x0000000000D30000-0x0000000000DAE000-memory.dmp

Filesize
504KB

Download
memory/1196-119-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/1196-120-0x0000000005660000-0x0000000005674000-memory.dmp

Filesize
80KB

Download
memory/1196-121-0x00000000059A0000-0x0000000005A32000-memory.dmp

Filesize
584KB

Download
memory/1196-122-0x0000000001500000-0x000000000159C000-memory.dmp

Filesize
624KB

Download
memory/1196-123-0x0000000002F80000-0x0000000002FDE000-memory.dmp

Filesize
376KB

Download
memory/1196-124-0x0000000006140000-0x000000000663E000-memory.dmp

Filesize
5.0MB

Download
memory/1288-135-0x0000000007D90000-0x0000000007DF6000-memory.dmp

Filesize
408KB

Download
memory/1288-139-0x0000000008210000-0x000000000825B000-memory.dmp

Filesize
300KB

Download
memory/1288-130-0x00000000076F0000-0x0000000007D18000-memory.dmp

Filesize
6.2MB

Download
memory/1288-131-0x00000000072A0000-0x00000000072C2000-memory.dmp

Filesize
136KB

Download
memory/1288-132-0x0000000007440000-0x00000000074A6000-memory.dmp

Filesize
408KB

Download
memory/1288-133-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/1288-128-0x0000000001110000-0x0000000001146000-memory.dmp

Filesize
216KB

Download
memory/1288-134-0x00000000070B2000-0x00000000070B3000-memory.dmp

Filesize
4KB

Download
memory/1288-356-0x00000000094D0000-0x00000000094D8000-memory.dmp

Filesize
32KB

Download
memory/1288-137-0x0000000007E00000-0x0000000008150000-memory.dmp

Filesize
3.3MB

Download
memory/1288-138-0x0000000007640000-0x000000000765C000-memory.dmp

Filesize
112KB

Download
memory/1288-351-0x0000000009560000-0x000000000957A000-memory.dmp

Filesize
104KB

Download
memory/1288-140-0x00000000084B0000-0x0000000008526000-memory.dmp

Filesize
472KB

Download
memory/1288-149-0x00000000095A0000-0x00000000095D3000-memory.dmp

Filesize
204KB

Download
memory/1288-150-0x0000000009200000-0x000000000921E000-memory.dmp

Filesize
120KB

Download
memory/1288-155-0x00000000096D0000-0x0000000009775000-memory.dmp

Filesize
660KB

Download
memory/1288-156-0x000000007EC10000-0x000000007EC11000-memory.dmp

Filesize
4KB

Download
memory/1288-157-0x0000000009860000-0x00000000098F4000-memory.dmp

Filesize
592KB

Download
memory/1288-224-0x00000000070B3000-0x00000000070B4000-memory.dmp

Filesize
4KB

Download
memory/3648-129-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3648-136-0x00000000016F0000-0x0000000001A10000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads