xloader | 5131b99eca49a0694073f43f58543781fd6adecc63a0cd643a50686b4d3e001a

General

Target

4b32fb4d21ff7225187b42d4c9722dce.exe
Size

1.1MB
MD5

4b32fb4d21ff7225187b42d4c9722dce
SHA1

331e10b03dc5cf994d3985aea2570f08e2707560
SHA256

5131b99eca49a0694073f43f58543781fd6adecc63a0cd643a50686b4d3e001a
SHA512

d4031c8069d11d78007f215471a982d12ab6059b973477961943dc33d2bf3d0547c95776ebc4b514130964ea9c5e77d2e1b855515c0dea7edf3498e501e2531d
SSDEEP

12288:2Gy2V8gP2iNdmth0+QHU6fm5LJHdkhjn+IZjxwRyCVWHz3T/J4GLIh+wT4P:b1yh0+CcFdyjSkCVm/Jql0

Score

10^/10

xloader w56m loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

w56m

Decoy

damai.zone

mywishbookweb.cloud

sandilakeclothing.bid

joysell.net

hackedwhores.com

sjdibang.com

memaquiahiga.com

bleeckerbobs.net

emmettthomas.com

thesheetz.com

mimik33.info

prettyprettybartending.com

3173596.com

shwangjia.com

sightuiop.com

tinnitusnow.online

mahadevexporters.com

cleaninglanarkshire.com

ibiaozhi.net

upinfame.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/1100-23-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1100-18-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5048	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\4b32fb4d21ff7225187b42d4c9722dce.exe
"C:\Users\Admin\AppData\Local\Temp\4b32fb4d21ff7225187b42d4c9722dce.exe"
1⤵
PID:5000
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RkaONosqCQHta" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF2FB.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:5048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:1100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:3744

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
1⤵
PID:4068
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1100-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1100-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1100-28-0x0000000001390000-0x00000000013A1000-memory.dmp

Filesize
68KB

Download
memory/1100-21-0x00000000013D0000-0x000000000171A000-memory.dmp

Filesize
3.3MB

Download
memory/1100-24-0x0000000001310000-0x0000000001321000-memory.dmp

Filesize
68KB

Download
memory/1100-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3560-44-0x0000000008530000-0x0000000008663000-memory.dmp

Filesize
1.2MB

Download
memory/3560-41-0x0000000008530000-0x0000000008663000-memory.dmp

Filesize
1.2MB

Download
memory/3560-40-0x0000000008530000-0x0000000008663000-memory.dmp

Filesize
1.2MB

Download
memory/3560-38-0x0000000008180000-0x00000000082E9000-memory.dmp

Filesize
1.4MB

Download
memory/3560-36-0x0000000003FD0000-0x0000000004174000-memory.dmp

Filesize
1.6MB

Download
memory/3560-29-0x0000000008180000-0x00000000082E9000-memory.dmp

Filesize
1.4MB

Download
memory/3560-25-0x0000000003FD0000-0x0000000004174000-memory.dmp

Filesize
1.6MB

Download
memory/4068-32-0x0000000000670000-0x0000000000699000-memory.dmp

Filesize
164KB

Download
memory/4068-34-0x0000000000670000-0x0000000000699000-memory.dmp

Filesize
164KB

Download
memory/4068-37-0x0000000000C90000-0x0000000000D20000-memory.dmp

Filesize
576KB

Download
memory/4068-33-0x0000000000F40000-0x000000000128A000-memory.dmp

Filesize
3.3MB

Download
memory/4068-31-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/4068-30-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/5000-11-0x0000000002B20000-0x0000000002BC0000-memory.dmp

Filesize
640KB

Download
memory/5000-4-0x00000000051F0000-0x0000000005282000-memory.dmp

Filesize
584KB

Download
memory/5000-7-0x0000000005440000-0x0000000005496000-memory.dmp

Filesize
344KB

Download
memory/5000-9-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/5000-10-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/5000-2-0x0000000005150000-0x00000000051EC000-memory.dmp

Filesize
624KB

Download
memory/5000-0-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/5000-8-0x0000000007BE0000-0x0000000007BFE000-memory.dmp

Filesize
120KB

Download
memory/5000-6-0x0000000005100000-0x000000000510A000-memory.dmp

Filesize
40KB

Download
memory/5000-12-0x00000000067F0000-0x000000000681E000-memory.dmp

Filesize
184KB

Download
memory/5000-5-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/5000-1-0x00000000005F0000-0x0000000000704000-memory.dmp

Filesize
1.1MB

Download
memory/5000-20-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/5000-3-0x00000000057A0000-0x0000000005D44000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads