xloader | 577322e3f941bd8f432e83818ff0e97f411e67e75f9ed5654b856f6e6e2ae9e2

General

Target

SecuriteInfo.com.W32.AIDetectNet.01.8546.exe
Size

724KB
MD5

1b053ad5898e7a62a5ba6d5b4614acc1
SHA1

24ec1578605b09fd3da9aef8613358bfbb205398
SHA256

577322e3f941bd8f432e83818ff0e97f411e67e75f9ed5654b856f6e6e2ae9e2
SHA512

f3641c3bcaa88ac62305bec4d42f37ee1455f5979f2f9c6525cc2d183be58dca91fa222d03da5b8d007993750187b37f3980a465291f667d58f2a3626df46f93

Score

10^/10

xloader n5mz loader rat

Malware Config

Extracted

Family

xloader

Version

2.7

Campaign

n5mz

Decoy

ezhuilike.com

broomstickrum.com

ramaniclothing.com

midbots.com

rlxscpe.com

elanagro.online

chahuajie.com

digipubcity.com

predatorstoppers.com

savas-jewelry.com

timinis23.com

homesteaddesignstudio.net

bellezadehoy.online

disintar.xyz

sharinks.tech

redfoxdetroit.com

resscoptheron.com

aspiritualgiftshoppe.com

tematemazo.com

assasa.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4964-144-0x0000000000400000-0x000000000042B000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.8546.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.8546.exe

description	pid	process	target process
PID 4236 set thread context of 4964	4236	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3552 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeSecuriteInfo.com.W32.AIDetectNet.01.8546.exe

pid process

2600 powershell.exe
2600 powershell.exe
4964 SecuriteInfo.com.W32.AIDetectNet.01.8546.exe
4964 SecuriteInfo.com.W32.AIDetectNet.01.8546.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2600 powershell.exe

pid	process
3552	schtasks.exe

pid	process
2600	powershell.exe
2600	powershell.exe
4964	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe
4964	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe

description	pid	process
Token: SeDebugPrivilege	2600	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.8546.exe

description	pid	process	target process
PID 4236 wrote to memory of 2600	4236	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe	powershell.exe
PID 4236 wrote to memory of 2600	4236	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe	powershell.exe
PID 4236 wrote to memory of 2600	4236	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe	powershell.exe
PID 4236 wrote to memory of 3552	4236	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe	schtasks.exe
PID 4236 wrote to memory of 3552	4236	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe	schtasks.exe
PID 4236 wrote to memory of 3552	4236	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe	schtasks.exe
PID 4236 wrote to memory of 4964	4236	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe
PID 4236 wrote to memory of 4964	4236	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe
PID 4236 wrote to memory of 4964	4236	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe
PID 4236 wrote to memory of 4964	4236	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe
PID 4236 wrote to memory of 4964	4236	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe
PID 4236 wrote to memory of 4964	4236	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe	SecuriteInfo.com.W32.AIDetectNet.01.8546.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.8546.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.8546.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WoJYlIWNwLUW.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WoJYlIWNwLUW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5D91.tmp"
2⤵
- Creates scheduled task(s)
PID:3552

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.8546.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.8546.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5D91.tmp
Filesize
1KB

MD5
58297850ece7e1d6ae94702a2178a089

SHA1
5c0f8b475b43261a478159c1a70098baef14e894

SHA256
e78544ce01f8a3d2498e8fcd7691bf562f5e26315d031a97bae5fc3f5605fff5

SHA512
2ea66a6f6f04620fe80a47e0d86c98c068ce15310c9ed9e490be566b21ca7435dad9c8ddb3ca1b575287af41e3fb0bb0075c906d3ed178534734350107335f05

Download Submit
memory/2600-142-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download
memory/2600-150-0x0000000007710000-0x0000000007D8A000-memory.dmp

Filesize
6.5MB

Download
memory/2600-155-0x0000000007400000-0x000000000741A000-memory.dmp

Filesize
104KB

Download
memory/2600-145-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

Filesize
120KB

Download
memory/2600-154-0x00000000072F0000-0x00000000072FE000-memory.dmp

Filesize
56KB

Download
memory/2600-136-0x0000000000000000-mapping.dmp

Download
memory/2600-153-0x0000000007340000-0x00000000073D6000-memory.dmp

Filesize
600KB

Download
memory/2600-138-0x0000000002490000-0x00000000024C6000-memory.dmp

Filesize
216KB

Download
memory/2600-152-0x0000000007140000-0x000000000714A000-memory.dmp

Filesize
40KB

Download
memory/2600-140-0x0000000004F60000-0x0000000005588000-memory.dmp

Filesize
6.2MB

Download
memory/2600-141-0x0000000004EE0000-0x0000000004F02000-memory.dmp

Filesize
136KB

Download
memory/2600-151-0x00000000070C0000-0x00000000070DA000-memory.dmp

Filesize
104KB

Download
memory/2600-156-0x00000000073E0000-0x00000000073E8000-memory.dmp

Filesize
32KB

Download
memory/2600-149-0x0000000006360000-0x000000000637E000-memory.dmp

Filesize
120KB

Download
memory/2600-148-0x0000000074E10000-0x0000000074E5C000-memory.dmp

Filesize
304KB

Download
memory/2600-147-0x00000000063A0000-0x00000000063D2000-memory.dmp

Filesize
200KB

Download
memory/3552-137-0x0000000000000000-mapping.dmp

Download
memory/4236-134-0x0000000007E80000-0x0000000007F1C000-memory.dmp

Filesize
624KB

Download
memory/4236-133-0x0000000005A90000-0x0000000005A9A000-memory.dmp

Filesize
40KB

Download
memory/4236-132-0x00000000058F0000-0x0000000005982000-memory.dmp

Filesize
584KB

Download
memory/4236-130-0x0000000000EA0000-0x0000000000F5C000-memory.dmp

Filesize
752KB

Download
memory/4236-131-0x0000000005DC0000-0x0000000006364000-memory.dmp

Filesize
5.6MB

Download
memory/4236-135-0x00000000084E0000-0x0000000008546000-memory.dmp

Filesize
408KB

Download
memory/4964-146-0x0000000001060000-0x00000000013AA000-memory.dmp

Filesize
3.3MB

Download
memory/4964-144-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4964-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads