xloader | 9dcb8b18c173b2407f6edd177227417ab9e0742997570b07d3d40ec71506480d

General

Target

026c9f0901c1f8edc43dbc0cc965186b.exe
Size

844KB
MD5

026c9f0901c1f8edc43dbc0cc965186b
SHA1

a500f8cce19f08ff89b9f8c39f34009872cc3e75
SHA256

9dcb8b18c173b2407f6edd177227417ab9e0742997570b07d3d40ec71506480d
SHA512

81053ecb219dde722185e57db6d2091ec60a2607a3335147b4a6b733123334730b32cec59ebef3251e5185fa6d36182e8e951c8c60ba4f8026bae82cac24f5c3

Score

10^/10

xloader r87g loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

r87g

Decoy

gzjyjzsj.com

rapibest.com

affordablebathroomsbyfrank.net

roboruben.com

xn--dlisucr-byag.com

encoreasso.com

piscire.com

dixiebusybee.com

newrome.xyz

sunshinejon.com

glacierforfcs.xyz

borhanmarket.com

tous-des-cons.club

hsfstea.com

spiniform.info

vaicomfibra.com

shinigami.xyz

kryptoindia.com

listentoappetite.com

securepplpay.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5116-141-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

026c9f0901c1f8edc43dbc0cc965186b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	026c9f0901c1f8edc43dbc0cc965186b.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

026c9f0901c1f8edc43dbc0cc965186b.exe

description pid process target process

PID 4476 set thread context of 5116 4476 026c9f0901c1f8edc43dbc0cc965186b.exe 026c9f0901c1f8edc43dbc0cc965186b.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5056 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe026c9f0901c1f8edc43dbc0cc965186b.exe

pid process

656 powershell.exe
5116 026c9f0901c1f8edc43dbc0cc965186b.exe
5116 026c9f0901c1f8edc43dbc0cc965186b.exe
656 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 656 powershell.exe

description	pid	process	target process
PID 4476 set thread context of 5116	4476	026c9f0901c1f8edc43dbc0cc965186b.exe	026c9f0901c1f8edc43dbc0cc965186b.exe

pid	process
5056	schtasks.exe

pid	process
656	powershell.exe
5116	026c9f0901c1f8edc43dbc0cc965186b.exe
5116	026c9f0901c1f8edc43dbc0cc965186b.exe
656	powershell.exe

description	pid	process
Token: SeDebugPrivilege	656	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

026c9f0901c1f8edc43dbc0cc965186b.exe

description	pid	process	target process
PID 4476 wrote to memory of 656	4476	026c9f0901c1f8edc43dbc0cc965186b.exe	powershell.exe
PID 4476 wrote to memory of 656	4476	026c9f0901c1f8edc43dbc0cc965186b.exe	powershell.exe
PID 4476 wrote to memory of 656	4476	026c9f0901c1f8edc43dbc0cc965186b.exe	powershell.exe
PID 4476 wrote to memory of 5056	4476	026c9f0901c1f8edc43dbc0cc965186b.exe	schtasks.exe
PID 4476 wrote to memory of 5056	4476	026c9f0901c1f8edc43dbc0cc965186b.exe	schtasks.exe
PID 4476 wrote to memory of 5056	4476	026c9f0901c1f8edc43dbc0cc965186b.exe	schtasks.exe
PID 4476 wrote to memory of 5116	4476	026c9f0901c1f8edc43dbc0cc965186b.exe	026c9f0901c1f8edc43dbc0cc965186b.exe
PID 4476 wrote to memory of 5116	4476	026c9f0901c1f8edc43dbc0cc965186b.exe	026c9f0901c1f8edc43dbc0cc965186b.exe
PID 4476 wrote to memory of 5116	4476	026c9f0901c1f8edc43dbc0cc965186b.exe	026c9f0901c1f8edc43dbc0cc965186b.exe
PID 4476 wrote to memory of 5116	4476	026c9f0901c1f8edc43dbc0cc965186b.exe	026c9f0901c1f8edc43dbc0cc965186b.exe
PID 4476 wrote to memory of 5116	4476	026c9f0901c1f8edc43dbc0cc965186b.exe	026c9f0901c1f8edc43dbc0cc965186b.exe
PID 4476 wrote to memory of 5116	4476	026c9f0901c1f8edc43dbc0cc965186b.exe	026c9f0901c1f8edc43dbc0cc965186b.exe

C:\Users\Admin\AppData\Local\Temp\026c9f0901c1f8edc43dbc0cc965186b.exe
"C:\Users\Admin\AppData\Local\Temp\026c9f0901c1f8edc43dbc0cc965186b.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LPjFjDtf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LPjFjDtf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5311.tmp"
2⤵
- Creates scheduled task(s)
PID:5056

C:\Users\Admin\AppData\Local\Temp\026c9f0901c1f8edc43dbc0cc965186b.exe
"C:\Users\Admin\AppData\Local\Temp\026c9f0901c1f8edc43dbc0cc965186b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5311.tmp
Filesize
1KB

MD5
3d24916f5bafc3cab4fdfa723c8b9309

SHA1
a6f16f63dc638d4feae4109671653d010495556a

SHA256
3b50ba80507b0249da1051fb4866f647ed9d678effcde019adbfee84daf30dc8

SHA512
119b27599f753edef2ebf12d515884004062001f6a290a21f61312b404afdbf22d3ddf0be975819a707119b36ee49a9ca982f7060c7b5d6edce263333d1660ee

Download Submit
memory/656-144-0x0000000005E50000-0x0000000005EB6000-memory.dmp

Filesize
408KB

Download
memory/656-140-0x00000000056B0000-0x0000000005CD8000-memory.dmp

Filesize
6.2MB

Download
memory/656-143-0x0000000005DE0000-0x0000000005E46000-memory.dmp

Filesize
408KB

Download
memory/656-156-0x0000000007A90000-0x0000000007A98000-memory.dmp

Filesize
32KB

Download
memory/656-135-0x0000000000000000-mapping.dmp

Download
memory/656-155-0x0000000007AB0000-0x0000000007ACA000-memory.dmp

Filesize
104KB

Download
memory/656-137-0x0000000002B50000-0x0000000002B86000-memory.dmp

Filesize
216KB

Download
memory/656-154-0x00000000079A0000-0x00000000079AE000-memory.dmp

Filesize
56KB

Download
memory/656-153-0x00000000079F0000-0x0000000007A86000-memory.dmp

Filesize
600KB

Download
memory/656-148-0x0000000071A30000-0x0000000071A7C000-memory.dmp

Filesize
304KB

Download
memory/656-151-0x0000000007770000-0x000000000778A000-memory.dmp

Filesize
104KB

Download
memory/656-142-0x00000000054B0000-0x00000000054D2000-memory.dmp

Filesize
136KB

Download
memory/656-150-0x0000000007DB0000-0x000000000842A000-memory.dmp

Filesize
6.5MB

Download
memory/656-149-0x0000000006A10000-0x0000000006A2E000-memory.dmp

Filesize
120KB

Download
memory/656-152-0x00000000077E0000-0x00000000077EA000-memory.dmp

Filesize
40KB

Download
memory/656-146-0x0000000006470000-0x000000000648E000-memory.dmp

Filesize
120KB

Download
memory/656-147-0x0000000006A30000-0x0000000006A62000-memory.dmp

Filesize
200KB

Download
memory/4476-131-0x0000000005310000-0x00000000058B4000-memory.dmp

Filesize
5.6MB

Download
memory/4476-133-0x0000000004FF0000-0x0000000004FFA000-memory.dmp

Filesize
40KB

Download
memory/4476-132-0x0000000004E40000-0x0000000004ED2000-memory.dmp

Filesize
584KB

Download
memory/4476-134-0x00000000087F0000-0x000000000888C000-memory.dmp

Filesize
624KB

Download
memory/4476-130-0x00000000003C0000-0x000000000049A000-memory.dmp

Filesize
872KB

Download
memory/5056-136-0x0000000000000000-mapping.dmp

Download
memory/5116-157-0x0000000001A20000-0x0000000001D6A000-memory.dmp

Filesize
3.3MB

Download
memory/5116-141-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5116-145-0x0000000001A20000-0x0000000001D6A000-memory.dmp

Filesize
3.3MB

Download
memory/5116-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads