xloader | 0418190aadd19ac9ea51c98d516f178ce5378a5d4354d44a9b49ac814b49325e

General

Target

38aed2534480c27c816c57ee6a369f87.exe
Size

489KB
MD5

38aed2534480c27c816c57ee6a369f87
SHA1

3a1d97bffba30b52704e8787af93cf1d6a56e16c
SHA256

0418190aadd19ac9ea51c98d516f178ce5378a5d4354d44a9b49ac814b49325e
SHA512

aa3a23b9ac43b2cde9e29a87067a5729d0246e367f4656fe58be3371bb846d2e2d681fcdd2cbf2e4841513b6f3ff677cff75167aab79cbb003d62da1b614f3fa

Score

10^/10

xloader nt3f loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4568-131-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

38aed2534480c27c816c57ee6a369f87.exe

pid process

3840 38aed2534480c27c816c57ee6a369f87.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

38aed2534480c27c816c57ee6a369f87.exe

description pid process target process

PID 3840 set thread context of 4568 3840 38aed2534480c27c816c57ee6a369f87.exe 38aed2534480c27c816c57ee6a369f87.exe

pid	process
3840	38aed2534480c27c816c57ee6a369f87.exe

description	pid	process	target process
PID 3840 set thread context of 4568	3840	38aed2534480c27c816c57ee6a369f87.exe	38aed2534480c27c816c57ee6a369f87.exe

Drops file in Windows directory 8 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

38aed2534480c27c816c57ee6a369f87.exe

pid process

4568 38aed2534480c27c816c57ee6a369f87.exe
4568 38aed2534480c27c816c57ee6a369f87.exe

pid	process
4568	38aed2534480c27c816c57ee6a369f87.exe
4568	38aed2534480c27c816c57ee6a369f87.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	4148	svchost.exe
Token: SeCreatePagefilePrivilege	4148	svchost.exe
Token: SeShutdownPrivilege	4148	svchost.exe
Token: SeCreatePagefilePrivilege	4148	svchost.exe
Token: SeShutdownPrivilege	4148	svchost.exe
Token: SeCreatePagefilePrivilege	4148	svchost.exe
Token: SeSecurityPrivilege	1284	TiWorker.exe
Token: SeRestorePrivilege	1284	TiWorker.exe
Token: SeBackupPrivilege	1284	TiWorker.exe
Token: SeBackupPrivilege	1284	TiWorker.exe
Token: SeRestorePrivilege	1284	TiWorker.exe
Token: SeSecurityPrivilege	1284	TiWorker.exe
Token: SeBackupPrivilege	1284	TiWorker.exe
Token: SeRestorePrivilege	1284	TiWorker.exe
Token: SeSecurityPrivilege	1284	TiWorker.exe
Token: SeBackupPrivilege	1284	TiWorker.exe
Token: SeRestorePrivilege	1284	TiWorker.exe
Token: SeSecurityPrivilege	1284	TiWorker.exe
Token: SeBackupPrivilege	1284	TiWorker.exe
Token: SeRestorePrivilege	1284	TiWorker.exe
Token: SeSecurityPrivilege	1284	TiWorker.exe
Token: SeBackupPrivilege	1284	TiWorker.exe
Token: SeRestorePrivilege	1284	TiWorker.exe
Token: SeSecurityPrivilege	1284	TiWorker.exe
Token: SeBackupPrivilege	1284	TiWorker.exe
Token: SeRestorePrivilege	1284	TiWorker.exe
Token: SeSecurityPrivilege	1284	TiWorker.exe
Token: SeBackupPrivilege	1284	TiWorker.exe
Token: SeRestorePrivilege	1284	TiWorker.exe
Token: SeSecurityPrivilege	1284	TiWorker.exe
Token: SeBackupPrivilege	1284	TiWorker.exe
Token: SeRestorePrivilege	1284	TiWorker.exe
Token: SeSecurityPrivilege	1284	TiWorker.exe
Token: SeBackupPrivilege	1284	TiWorker.exe
Token: SeRestorePrivilege	1284	TiWorker.exe
Token: SeSecurityPrivilege	1284	TiWorker.exe
Token: SeBackupPrivilege	1284	TiWorker.exe
Token: SeRestorePrivilege	1284	TiWorker.exe
Token: SeSecurityPrivilege	1284	TiWorker.exe
Token: SeBackupPrivilege	1284	TiWorker.exe
Token: SeRestorePrivilege	1284	TiWorker.exe
Token: SeSecurityPrivilege	1284	TiWorker.exe
Token: SeBackupPrivilege	1284	TiWorker.exe
Token: SeRestorePrivilege	1284	TiWorker.exe
Token: SeSecurityPrivilege	1284	TiWorker.exe
Token: SeBackupPrivilege	1284	TiWorker.exe
Token: SeRestorePrivilege	1284	TiWorker.exe
Token: SeSecurityPrivilege	1284	TiWorker.exe
Token: SeBackupPrivilege	1284	TiWorker.exe
Token: SeRestorePrivilege	1284	TiWorker.exe
Token: SeSecurityPrivilege	1284	TiWorker.exe
Token: SeBackupPrivilege	1284	TiWorker.exe
Token: SeRestorePrivilege	1284	TiWorker.exe
Token: SeSecurityPrivilege	1284	TiWorker.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

38aed2534480c27c816c57ee6a369f87.exe

description	pid	process	target process
PID 3840 wrote to memory of 4568	3840	38aed2534480c27c816c57ee6a369f87.exe	38aed2534480c27c816c57ee6a369f87.exe
PID 3840 wrote to memory of 4568	3840	38aed2534480c27c816c57ee6a369f87.exe	38aed2534480c27c816c57ee6a369f87.exe
PID 3840 wrote to memory of 4568	3840	38aed2534480c27c816c57ee6a369f87.exe	38aed2534480c27c816c57ee6a369f87.exe
PID 3840 wrote to memory of 4568	3840	38aed2534480c27c816c57ee6a369f87.exe	38aed2534480c27c816c57ee6a369f87.exe
PID 3840 wrote to memory of 4568	3840	38aed2534480c27c816c57ee6a369f87.exe	38aed2534480c27c816c57ee6a369f87.exe
PID 3840 wrote to memory of 4568	3840	38aed2534480c27c816c57ee6a369f87.exe	38aed2534480c27c816c57ee6a369f87.exe

C:\Users\Admin\AppData\Local\Temp\38aed2534480c27c816c57ee6a369f87.exe
"C:\Users\Admin\AppData\Local\Temp\38aed2534480c27c816c57ee6a369f87.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3840

C:\Users\Admin\AppData\Local\Temp\38aed2534480c27c816c57ee6a369f87.exe
"C:\Users\Admin\AppData\Local\Temp\38aed2534480c27c816c57ee6a369f87.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsx299B.tmp\qtevjlboywc.dll
MD5
7ab1f960243256a5a844b4e6d60572f5

SHA1
d1d0da605c3f65a1d9e2f60f3ea2eb5aa602d27b

SHA256
5255231c384c64a605d5a1c828df7375455ccb844d4ed2519ae9f656c65b007c

SHA512
3ce50ab0041d414ebb9056495eec74053f5ef0b448bed6caf039c650f2c42ed97e01aa8ba293a7134195bcab6de12f04dacad904e5d59c58c777e8a8ee5acb5f

Download Submit
memory/4148-133-0x0000024E04F30000-0x0000024E04F40000-memory.dmp

Filesize
64KB

Download
memory/4148-134-0x0000024E04F90000-0x0000024E04FA0000-memory.dmp

Filesize
64KB

Download
memory/4148-135-0x0000024E07C90000-0x0000024E07C94000-memory.dmp

Filesize
16KB

Download
memory/4568-131-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4568-132-0x0000000000A50000-0x0000000000D9A000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads