xloader | 11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41

General

Target

11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe
Size

782KB
MD5

076b5c48111ac20de4e6f72cfa3393f1
SHA1

06439b289cdfdd08164d4bed0c7f6f2d92d8c769
SHA256

11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41
SHA512

a7da7825eb785b0fa31979af5c1bf9010f18cbf7f61b6b0dfc9ef9dae845d345b2df47f53a07dae012d5c33f3f890ece2473477faf33ef59aeeddaba28c18b2b

Score

10^/10

xloader nt3f loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2032-127-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe

description	pid	process	target process
PID 2500 set thread context of 2032	2500	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2920 schtasks.exe

pid	process
2920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe

pid	process
3544	powershell.exe
2032	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe
2032	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe
3544	powershell.exe
3544	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3544 powershell.exe

description	pid	process
Token: SeDebugPrivilege	3544	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe

description	pid	process	target process
PID 2500 wrote to memory of 3544	2500	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe	powershell.exe
PID 2500 wrote to memory of 3544	2500	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe	powershell.exe
PID 2500 wrote to memory of 3544	2500	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe	powershell.exe
PID 2500 wrote to memory of 2920	2500	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe	schtasks.exe
PID 2500 wrote to memory of 2920	2500	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe	schtasks.exe
PID 2500 wrote to memory of 2920	2500	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe	schtasks.exe
PID 2500 wrote to memory of 2032	2500	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe
PID 2500 wrote to memory of 2032	2500	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe
PID 2500 wrote to memory of 2032	2500	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe
PID 2500 wrote to memory of 2032	2500	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe
PID 2500 wrote to memory of 2032	2500	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe
PID 2500 wrote to memory of 2032	2500	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe	11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe

C:\Users\Admin\AppData\Local\Temp\11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe
"C:\Users\Admin\AppData\Local\Temp\11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ubRPPGAHBbheAf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ubRPPGAHBbheAf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5792.tmp"
2⤵
- Creates scheduled task(s)
PID:2920

C:\Users\Admin\AppData\Local\Temp\11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe
"C:\Users\Admin\AppData\Local\Temp\11d9365302786fe34113c070a9e6ed32a7209c8de10eb21ef8d4a8eeb1215d41.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2032

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5792.tmp
MD5
9cce8df4371b5ec3462445dc611fd267

SHA1
efef4c5d204328b57457a5a25ba6d74611e6ffc0

SHA256
9ee7210d1971f9c247aeb0e4673d5b49a0d8a575fed60c7b981f1de55a91e558

SHA512
dce980db7325b72b6e5c37fde031e68a9b97fd85d952d02048f3fae0f5cab0b7c7f25b28be4dd854add40dbb0ededee8f13084b1863b87c2c6ceb1a7df7c7fbd

Download Submit
memory/2032-135-0x00000000017D0000-0x0000000001AF0000-memory.dmp

Filesize
3.1MB

Download
memory/2032-127-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2500-115-0x0000000000230000-0x00000000002FC000-memory.dmp

Filesize
816KB

Download
memory/2500-116-0x0000000005150000-0x000000000564E000-memory.dmp

Filesize
5.0MB

Download
memory/2500-117-0x0000000004CF0000-0x0000000004D82000-memory.dmp

Filesize
584KB

Download
memory/2500-118-0x0000000004BC0000-0x0000000004C30000-memory.dmp

Filesize
448KB

Download
memory/2500-119-0x0000000004C90000-0x0000000004C9A000-memory.dmp

Filesize
40KB

Download
memory/2500-120-0x0000000007320000-0x000000000732C000-memory.dmp

Filesize
48KB

Download
memory/2500-121-0x0000000007650000-0x00000000076EC000-memory.dmp

Filesize
624KB

Download
memory/2500-122-0x0000000007900000-0x000000000795E000-memory.dmp

Filesize
376KB

Download
memory/3544-131-0x0000000007780000-0x00000000077A2000-memory.dmp

Filesize
136KB

Download
memory/3544-137-0x0000000008B40000-0x0000000008B8B000-memory.dmp

Filesize
300KB

Download
memory/3544-130-0x0000000007252000-0x0000000007253000-memory.dmp

Filesize
4KB

Download
memory/3544-128-0x0000000007890000-0x0000000007EB8000-memory.dmp

Filesize
6.2MB

Download
memory/3544-132-0x0000000007F70000-0x0000000007FD6000-memory.dmp

Filesize
408KB

Download
memory/3544-133-0x0000000007FE0000-0x0000000008046000-memory.dmp

Filesize
408KB

Download
memory/3544-126-0x0000000004DF0000-0x0000000004E26000-memory.dmp

Filesize
216KB

Download
memory/3544-134-0x0000000008290000-0x00000000085E0000-memory.dmp

Filesize
3.3MB

Download
memory/3544-136-0x00000000080B0000-0x00000000080CC000-memory.dmp

Filesize
112KB

Download
memory/3544-129-0x0000000007250000-0x0000000007251000-memory.dmp

Filesize
4KB

Download
memory/3544-138-0x0000000008890000-0x0000000008906000-memory.dmp

Filesize
472KB

Download
memory/3544-147-0x00000000097C0000-0x00000000097F3000-memory.dmp

Filesize
204KB

Download
memory/3544-148-0x00000000097A0000-0x00000000097BE000-memory.dmp

Filesize
120KB

Download
memory/3544-153-0x0000000009B00000-0x0000000009BA5000-memory.dmp

Filesize
660KB

Download
memory/3544-154-0x0000000009CE0000-0x0000000009D74000-memory.dmp

Filesize
592KB

Download
memory/3544-223-0x000000007ECA0000-0x000000007ECA1000-memory.dmp

Filesize
4KB

Download
memory/3544-224-0x0000000007253000-0x0000000007254000-memory.dmp

Filesize
4KB

Download
memory/3544-349-0x0000000009C70000-0x0000000009C8A000-memory.dmp

Filesize
104KB

Download
memory/3544-354-0x0000000009C60000-0x0000000009C68000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads