xloader | 9dcb8b18c173b2407f6edd177227417ab9e0742997570b07d3d40ec71506480d

General

Target

026c9f0901c1f8edc43dbc0cc965186b.exe
Size

844KB
MD5

026c9f0901c1f8edc43dbc0cc965186b
SHA1

a500f8cce19f08ff89b9f8c39f34009872cc3e75
SHA256

9dcb8b18c173b2407f6edd177227417ab9e0742997570b07d3d40ec71506480d
SHA512

81053ecb219dde722185e57db6d2091ec60a2607a3335147b4a6b733123334730b32cec59ebef3251e5185fa6d36182e8e951c8c60ba4f8026bae82cac24f5c3

Score

10^/10

xloader r87g loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

r87g

Decoy

gzjyjzsj.com

rapibest.com

affordablebathroomsbyfrank.net

roboruben.com

xn--dlisucr-byag.com

encoreasso.com

piscire.com

dixiebusybee.com

newrome.xyz

sunshinejon.com

glacierforfcs.xyz

borhanmarket.com

tous-des-cons.club

hsfstea.com

spiniform.info

vaicomfibra.com

shinigami.xyz

kryptoindia.com

listentoappetite.com

securepplpay.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/540-66-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/540-67-0x000000000041D480-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

026c9f0901c1f8edc43dbc0cc965186b.exe

description pid process target process

PID 2024 set thread context of 540 2024 026c9f0901c1f8edc43dbc0cc965186b.exe 026c9f0901c1f8edc43dbc0cc965186b.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1556 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

026c9f0901c1f8edc43dbc0cc965186b.exe026c9f0901c1f8edc43dbc0cc965186b.exepowershell.exe

pid process

2024 026c9f0901c1f8edc43dbc0cc965186b.exe
540 026c9f0901c1f8edc43dbc0cc965186b.exe
1676 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

026c9f0901c1f8edc43dbc0cc965186b.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2024 026c9f0901c1f8edc43dbc0cc965186b.exe
Token: SeDebugPrivilege 1676 powershell.exe

description	pid	process	target process
PID 2024 set thread context of 540	2024	026c9f0901c1f8edc43dbc0cc965186b.exe	026c9f0901c1f8edc43dbc0cc965186b.exe

pid	process
1556	schtasks.exe

pid	process
2024	026c9f0901c1f8edc43dbc0cc965186b.exe
540	026c9f0901c1f8edc43dbc0cc965186b.exe
1676	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2024	026c9f0901c1f8edc43dbc0cc965186b.exe
Token: SeDebugPrivilege	1676	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

026c9f0901c1f8edc43dbc0cc965186b.exe

description	pid	process	target process
PID 2024 wrote to memory of 1676	2024	026c9f0901c1f8edc43dbc0cc965186b.exe	powershell.exe
PID 2024 wrote to memory of 1676	2024	026c9f0901c1f8edc43dbc0cc965186b.exe	powershell.exe
PID 2024 wrote to memory of 1676	2024	026c9f0901c1f8edc43dbc0cc965186b.exe	powershell.exe
PID 2024 wrote to memory of 1676	2024	026c9f0901c1f8edc43dbc0cc965186b.exe	powershell.exe
PID 2024 wrote to memory of 1556	2024	026c9f0901c1f8edc43dbc0cc965186b.exe	schtasks.exe
PID 2024 wrote to memory of 1556	2024	026c9f0901c1f8edc43dbc0cc965186b.exe	schtasks.exe
PID 2024 wrote to memory of 1556	2024	026c9f0901c1f8edc43dbc0cc965186b.exe	schtasks.exe
PID 2024 wrote to memory of 1556	2024	026c9f0901c1f8edc43dbc0cc965186b.exe	schtasks.exe
PID 2024 wrote to memory of 1476	2024	026c9f0901c1f8edc43dbc0cc965186b.exe	026c9f0901c1f8edc43dbc0cc965186b.exe
PID 2024 wrote to memory of 1476	2024	026c9f0901c1f8edc43dbc0cc965186b.exe	026c9f0901c1f8edc43dbc0cc965186b.exe
PID 2024 wrote to memory of 1476	2024	026c9f0901c1f8edc43dbc0cc965186b.exe	026c9f0901c1f8edc43dbc0cc965186b.exe
PID 2024 wrote to memory of 1476	2024	026c9f0901c1f8edc43dbc0cc965186b.exe	026c9f0901c1f8edc43dbc0cc965186b.exe
PID 2024 wrote to memory of 540	2024	026c9f0901c1f8edc43dbc0cc965186b.exe	026c9f0901c1f8edc43dbc0cc965186b.exe
PID 2024 wrote to memory of 540	2024	026c9f0901c1f8edc43dbc0cc965186b.exe	026c9f0901c1f8edc43dbc0cc965186b.exe
PID 2024 wrote to memory of 540	2024	026c9f0901c1f8edc43dbc0cc965186b.exe	026c9f0901c1f8edc43dbc0cc965186b.exe
PID 2024 wrote to memory of 540	2024	026c9f0901c1f8edc43dbc0cc965186b.exe	026c9f0901c1f8edc43dbc0cc965186b.exe
PID 2024 wrote to memory of 540	2024	026c9f0901c1f8edc43dbc0cc965186b.exe	026c9f0901c1f8edc43dbc0cc965186b.exe
PID 2024 wrote to memory of 540	2024	026c9f0901c1f8edc43dbc0cc965186b.exe	026c9f0901c1f8edc43dbc0cc965186b.exe
PID 2024 wrote to memory of 540	2024	026c9f0901c1f8edc43dbc0cc965186b.exe	026c9f0901c1f8edc43dbc0cc965186b.exe

C:\Users\Admin\AppData\Local\Temp\026c9f0901c1f8edc43dbc0cc965186b.exe
"C:\Users\Admin\AppData\Local\Temp\026c9f0901c1f8edc43dbc0cc965186b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LPjFjDtf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LPjFjDtf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF596.tmp"
2⤵
- Creates scheduled task(s)
PID:1556

C:\Users\Admin\AppData\Local\Temp\026c9f0901c1f8edc43dbc0cc965186b.exe
"C:\Users\Admin\AppData\Local\Temp\026c9f0901c1f8edc43dbc0cc965186b.exe"
2⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\026c9f0901c1f8edc43dbc0cc965186b.exe
"C:\Users\Admin\AppData\Local\Temp\026c9f0901c1f8edc43dbc0cc965186b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:540

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF596.tmp
Filesize
1KB

MD5
b4dfd20b2ec0c4a9bb07946d7b946644

SHA1
ed7eb86c824ea5bd7fdfd38b473e955fbba49f64

SHA256
d981526b47c5b2d9c29c74123db89c8d11e9289b50b5ac8327e2fe8d75913e96

SHA512
3cb86bd673dccec003b134afb7746432e85e2ae3f6122e985eada3b23b172ee7424bf2fcafb166dc6f49329ca0b0ba46cc7a881a844331d1317a6ff936887634

Download Submit
memory/540-64-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/540-67-0x000000000041D480-mapping.dmp

Download
memory/540-68-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download
memory/540-66-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/540-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1556-59-0x0000000000000000-mapping.dmp

Download
memory/1676-58-0x0000000000000000-mapping.dmp

Download
memory/1676-69-0x000000006EB10000-0x000000006F0BB000-memory.dmp

Filesize
5.7MB

Download
memory/1676-70-0x000000006EB10000-0x000000006F0BB000-memory.dmp

Filesize
5.7MB

Download
memory/2024-55-0x0000000075381000-0x0000000075383000-memory.dmp

Filesize
8KB

Download
memory/2024-62-0x0000000001330000-0x0000000001360000-memory.dmp

Filesize
192KB

Download
memory/2024-54-0x0000000001360000-0x000000000143A000-memory.dmp

Filesize
872KB

Download
memory/2024-56-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/2024-57-0x0000000004E30000-0x0000000004E98000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads