xloader | 508cb22224be3ffe5f189767b150490b717fdfbbdea4ea41c3a1add4ecfe7730

General

Target

47811f527386f1024081701f3812deb7.exe
Size

520KB
MD5

47811f527386f1024081701f3812deb7
SHA1

16934d7dbc4ad5f583f3721e180c0669a57c5c84
SHA256

508cb22224be3ffe5f189767b150490b717fdfbbdea4ea41c3a1add4ecfe7730
SHA512

df060d3d595f6da2a25f54c8ecf4398bbe83c3bc39f15c258f3a984a77578389019095355f082adb9a4921390bf53c2c06b098cb7a9639ef1c13cc343fcc4f03

Score

10^/10

xloader r87g loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

r87g

Decoy

gzjyjzsj.com

rapibest.com

affordablebathroomsbyfrank.net

roboruben.com

xn--dlisucr-byag.com

encoreasso.com

piscire.com

dixiebusybee.com

newrome.xyz

sunshinejon.com

glacierforfcs.xyz

borhanmarket.com

tous-des-cons.club

hsfstea.com

spiniform.info

vaicomfibra.com

shinigami.xyz

kryptoindia.com

listentoappetite.com

securepplpay.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1760-66-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1760-67-0x000000000041D480-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

47811f527386f1024081701f3812deb7.exe

description pid process target process

PID 1860 set thread context of 1760 1860 47811f527386f1024081701f3812deb7.exe 47811f527386f1024081701f3812deb7.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1968 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

47811f527386f1024081701f3812deb7.exe47811f527386f1024081701f3812deb7.exepowershell.exe

pid process

1860 47811f527386f1024081701f3812deb7.exe
1760 47811f527386f1024081701f3812deb7.exe
1724 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

47811f527386f1024081701f3812deb7.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1860 47811f527386f1024081701f3812deb7.exe
Token: SeDebugPrivilege 1724 powershell.exe

description	pid	process	target process
PID 1860 set thread context of 1760	1860	47811f527386f1024081701f3812deb7.exe	47811f527386f1024081701f3812deb7.exe

pid	process
1968	schtasks.exe

pid	process
1860	47811f527386f1024081701f3812deb7.exe
1760	47811f527386f1024081701f3812deb7.exe
1724	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1860	47811f527386f1024081701f3812deb7.exe
Token: SeDebugPrivilege	1724	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

47811f527386f1024081701f3812deb7.exe

description	pid	process	target process
PID 1860 wrote to memory of 1724	1860	47811f527386f1024081701f3812deb7.exe	powershell.exe
PID 1860 wrote to memory of 1724	1860	47811f527386f1024081701f3812deb7.exe	powershell.exe
PID 1860 wrote to memory of 1724	1860	47811f527386f1024081701f3812deb7.exe	powershell.exe
PID 1860 wrote to memory of 1724	1860	47811f527386f1024081701f3812deb7.exe	powershell.exe
PID 1860 wrote to memory of 1968	1860	47811f527386f1024081701f3812deb7.exe	schtasks.exe
PID 1860 wrote to memory of 1968	1860	47811f527386f1024081701f3812deb7.exe	schtasks.exe
PID 1860 wrote to memory of 1968	1860	47811f527386f1024081701f3812deb7.exe	schtasks.exe
PID 1860 wrote to memory of 1968	1860	47811f527386f1024081701f3812deb7.exe	schtasks.exe
PID 1860 wrote to memory of 900	1860	47811f527386f1024081701f3812deb7.exe	47811f527386f1024081701f3812deb7.exe
PID 1860 wrote to memory of 900	1860	47811f527386f1024081701f3812deb7.exe	47811f527386f1024081701f3812deb7.exe
PID 1860 wrote to memory of 900	1860	47811f527386f1024081701f3812deb7.exe	47811f527386f1024081701f3812deb7.exe
PID 1860 wrote to memory of 900	1860	47811f527386f1024081701f3812deb7.exe	47811f527386f1024081701f3812deb7.exe
PID 1860 wrote to memory of 1760	1860	47811f527386f1024081701f3812deb7.exe	47811f527386f1024081701f3812deb7.exe
PID 1860 wrote to memory of 1760	1860	47811f527386f1024081701f3812deb7.exe	47811f527386f1024081701f3812deb7.exe
PID 1860 wrote to memory of 1760	1860	47811f527386f1024081701f3812deb7.exe	47811f527386f1024081701f3812deb7.exe
PID 1860 wrote to memory of 1760	1860	47811f527386f1024081701f3812deb7.exe	47811f527386f1024081701f3812deb7.exe
PID 1860 wrote to memory of 1760	1860	47811f527386f1024081701f3812deb7.exe	47811f527386f1024081701f3812deb7.exe
PID 1860 wrote to memory of 1760	1860	47811f527386f1024081701f3812deb7.exe	47811f527386f1024081701f3812deb7.exe
PID 1860 wrote to memory of 1760	1860	47811f527386f1024081701f3812deb7.exe	47811f527386f1024081701f3812deb7.exe

C:\Users\Admin\AppData\Local\Temp\47811f527386f1024081701f3812deb7.exe
"C:\Users\Admin\AppData\Local\Temp\47811f527386f1024081701f3812deb7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QuPVQiTftBFHdL.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QuPVQiTftBFHdL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF48D.tmp"
2⤵
- Creates scheduled task(s)
PID:1968

C:\Users\Admin\AppData\Local\Temp\47811f527386f1024081701f3812deb7.exe
"C:\Users\Admin\AppData\Local\Temp\47811f527386f1024081701f3812deb7.exe"
2⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\47811f527386f1024081701f3812deb7.exe
"C:\Users\Admin\AppData\Local\Temp\47811f527386f1024081701f3812deb7.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1760

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF48D.tmp
Filesize
1KB

MD5
bde4b8075f5dd43d70673cd8a024b2d5

SHA1
4e18220091dc3fe6b542faed5116a4b20b95a904

SHA256
418c017d2e21ce77f0d068e06647c91c74a2ba62495011d2195d9c38d7123480

SHA512
1d57aa2f1da528a3873ff454767eb83cc58e494e2e246542ef660038d54c88c3d4db55f25744c4fa183f123a0b2152d28cac594c1bc3d5f514d0c20f10c2b707

Download Submit
memory/1724-58-0x0000000000000000-mapping.dmp

Download
memory/1724-69-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-64-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1760-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1760-66-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1760-67-0x000000000041D480-mapping.dmp

Download
memory/1760-68-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/1860-57-0x0000000005300000-0x0000000005382000-memory.dmp

Filesize
520KB

Download
memory/1860-56-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/1860-62-0x0000000004C40000-0x0000000004C70000-memory.dmp

Filesize
192KB

Download
memory/1860-54-0x0000000000880000-0x0000000000902000-memory.dmp

Filesize
520KB

Download
memory/1860-55-0x0000000075E41000-0x0000000075E43000-memory.dmp

Filesize
8KB

Download
memory/1968-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads