xloader | 80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1

General

Target

80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe
Size

275KB
MD5

8f4585f525382c4ff0fd67d9eea7cff8
SHA1

9365f326bfc24cba9347ed0b7935e3100c6ddce3
SHA256

80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1
SHA512

3cc5e703c18019a472097724fab2979ff727fe2dfc705df48aff00fd227b510a35285003784b8538b116234868853c5dbbfafc2263001b1d1135d4820b3e8a8c

Score

10^/10

xloader gab7 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

gab7

Decoy

mbb11.xyz

taishancable.com

karaoke-sega.com

mana-space.com

danielandkaela.com

ancorasports.com

magentaclass.com

tenloe045.xyz

colorbold.com

5starrentertainment.com

candgconstructiontx.com

664cqi.com

alexeykazakov.com

umrashed.space

thepowerof10.club

scotchwoodofficeworks.com

anelis.digital

label34.group

karimico.com

dogsforsaleinkenya.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/648-56-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe

pid process

1880 80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe

pid	process
1880	80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe

description	pid	process	target process
PID 1880 set thread context of 648	1880	80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe	80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe

pid process

648 80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe

pid	process
648	80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe

description	pid	process	target process
PID 1880 wrote to memory of 648	1880	80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe	80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe
PID 1880 wrote to memory of 648	1880	80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe	80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe
PID 1880 wrote to memory of 648	1880	80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe	80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe
PID 1880 wrote to memory of 648	1880	80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe	80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe
PID 1880 wrote to memory of 648	1880	80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe	80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe
PID 1880 wrote to memory of 648	1880	80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe	80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe
PID 1880 wrote to memory of 648	1880	80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe	80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe

C:\Users\Admin\AppData\Local\Temp\80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe
"C:\Users\Admin\AppData\Local\Temp\80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe
"C:\Users\Admin\AppData\Local\Temp\80e8a8b687288ebb5907d23754a2237c337a1b5f9c30f275190663f0462919b1.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:648

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsyC998.tmp\pmwikjp.dll
MD5
9989f6fd8fd15efc976e382b1b944d8e

SHA1
90e4a6bc3f826fa3ea704d3fce8fde145acef8b0

SHA256
9ff95a61f7ce75673e231d756078303dd3ae8bae1b1119a9b6418c0ccc83b54a

SHA512
c40f5734c2da461733b173d7ab57fee1b68c34d440aa84a5a24d63ac98bcd03e5bd47c70e621fdfa32aeb9958664d764c49766fced31845f28ca18d52883a880

Download Submit
memory/648-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/648-57-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/1880-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads