xloader | 33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59

General

Target

33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe
Size

510KB
MD5

ed110000e4a38ea4c524a777c0b28a38
SHA1

a82ea598a09bf51269131363d2ca1120e45c92aa
SHA256

33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59
SHA512

b771cae1b0e7a25d58dbbdb60a86d39bed08d6c0f97d18b928cb1179dba6911f494b4cec853d169d3113f2a7afa1c3ac45e6fb74f6c6a1fa73978b9209c0de4e

Score

10^/10

xloader loader rat

Malware Config

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/412-140-0x0000000000400000-0x000000000042C000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5092 set thread context of 412	5092	33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1452	powershell.exe
412	33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe
412	33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe
1452	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1452	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 1452	5092	33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe	90
PID 5092 wrote to memory of 1452	5092	33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe	90
PID 5092 wrote to memory of 1452	5092	33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe	90
PID 5092 wrote to memory of 4892	5092	33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe	92
PID 5092 wrote to memory of 4892	5092	33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe	92
PID 5092 wrote to memory of 4892	5092	33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe	92
PID 5092 wrote to memory of 412	5092	33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe	94
PID 5092 wrote to memory of 412	5092	33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe	94
PID 5092 wrote to memory of 412	5092	33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe	94
PID 5092 wrote to memory of 412	5092	33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe	94
PID 5092 wrote to memory of 412	5092	33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe	94
PID 5092 wrote to memory of 412	5092	33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe	94

C:\Users\Admin\AppData\Local\Temp\33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe
"C:\Users\Admin\AppData\Local\Temp\33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\atfDjSnEZXbNX.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\atfDjSnEZXbNX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5CE5.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4892
- C:\Users\Admin\AppData\Local\Temp\33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe
  "C:\Users\Admin\AppData\Local\Temp\33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5CE5.tmp

Filesize
1KB

MD5
6300e9b4cc39989732e18260c9f9b62d

SHA1
7ecfb4e3a58589ce258eb947c3db02d3c8123ac7

SHA256
9de93336ac1e7495946431529f437d7e18ff5e9e1079b4310853414694413c86

SHA512
c1279b053947487d4696a9691b1ebe93bb3894b1967cffea33d121a3c9c51ffeddcc0dd0384619496ef5e41f72d496341675b39f87eb07441c46afd626c50cd2

Download Submit
memory/412-145-0x0000000001400000-0x000000000174A000-memory.dmp

Filesize
3.3MB

Download
memory/412-140-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1452-148-0x0000000070DC0000-0x0000000070E0C000-memory.dmp

Filesize
304KB

Download
memory/1452-143-0x0000000004F20000-0x0000000004F86000-memory.dmp

Filesize
408KB

Download
memory/1452-151-0x0000000007030000-0x000000000704A000-memory.dmp

Filesize
104KB

Download
memory/1452-137-0x0000000002400000-0x0000000002436000-memory.dmp

Filesize
216KB

Download
memory/1452-156-0x0000000007350000-0x0000000007358000-memory.dmp

Filesize
32KB

Download
memory/1452-155-0x0000000007370000-0x000000000738A000-memory.dmp

Filesize
104KB

Download
memory/1452-141-0x0000000005000000-0x0000000005628000-memory.dmp

Filesize
6.2MB

Download
memory/1452-142-0x0000000004D80000-0x0000000004DA2000-memory.dmp

Filesize
136KB

Download
memory/1452-152-0x00000000070A0000-0x00000000070AA000-memory.dmp

Filesize
40KB

Download
memory/1452-144-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/1452-154-0x0000000007260000-0x000000000726E000-memory.dmp

Filesize
56KB

Download
memory/1452-146-0x0000000005D30000-0x0000000005D4E000-memory.dmp

Filesize
120KB

Download
memory/1452-147-0x00000000062F0000-0x0000000006322000-memory.dmp

Filesize
200KB

Download
memory/1452-153-0x00000000072B0000-0x0000000007346000-memory.dmp

Filesize
600KB

Download
memory/1452-149-0x00000000062D0000-0x00000000062EE000-memory.dmp

Filesize
120KB

Download
memory/1452-150-0x0000000007680000-0x0000000007CFA000-memory.dmp

Filesize
6.5MB

Download
memory/5092-132-0x00000000056C0000-0x0000000005752000-memory.dmp

Filesize
584KB

Download
memory/5092-130-0x0000000000C70000-0x0000000000CF6000-memory.dmp

Filesize
536KB

Download
memory/5092-131-0x0000000005C70000-0x0000000006214000-memory.dmp

Filesize
5.6MB

Download
memory/5092-133-0x0000000003360000-0x000000000336A000-memory.dmp

Filesize
40KB

Download
memory/5092-134-0x0000000007D50000-0x0000000007DEC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads