xloader | 6e9ddd1d83e526efb6a597d46f95bfa07d09f2de7b4a71f2b99573cd45c924dd

General

Target

4eb2be32690511a45844f521fa273dcb.exe
Size

842KB
MD5

4eb2be32690511a45844f521fa273dcb
SHA1

6aa45974c89398f0b1663231933aff412d8977ed
SHA256

6e9ddd1d83e526efb6a597d46f95bfa07d09f2de7b4a71f2b99573cd45c924dd
SHA512

cfddb820f2c525bdf686e19c3d11201028cd34388580ce2f0682327d874f25d467b1a50026c0ec291503b6e2df6338965e89ef3307e0271d92c3c1ae0ada38b9
SSDEEP

12288:Dfp109zl8OAXHrFVCKgUZtdOrOwKCHFa5gBK0wXkAg5dZGeR:DSGOAvlZt8OwKwkKAgFG8

Score

10^/10

xloader n8ba loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

n8ba

Decoy

thefitflect.com

anytourist.com

blggz.xyz

ascope.club

obyeboss.com

braun-mathematik.online

mtsnurulislamsby.com

jwpropertiestn.com

animalds.com

cunerier.com

sillysocklife.com

shopliyonamaaghin.net

theredcymbalsco.com

lostbikeproject.com

ryggoqlmga.club

realestatetriggers.com

luvlauricephotography.com

cheesehome.cloud

5fashionfix.net

wata-6-rwem.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2324-17-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1876 set thread context of 2324	1876	4eb2be32690511a45844f521fa273dcb.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1760	2324	WerFault.exe	30

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1876	4eb2be32690511a45844f521fa273dcb.exe
1876	4eb2be32690511a45844f521fa273dcb.exe
1876	4eb2be32690511a45844f521fa273dcb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1876	4eb2be32690511a45844f521fa273dcb.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 1972	1876	4eb2be32690511a45844f521fa273dcb.exe	26
PID 1876 wrote to memory of 1972	1876	4eb2be32690511a45844f521fa273dcb.exe	26
PID 1876 wrote to memory of 1972	1876	4eb2be32690511a45844f521fa273dcb.exe	26
PID 1876 wrote to memory of 1972	1876	4eb2be32690511a45844f521fa273dcb.exe	26
PID 1876 wrote to memory of 2356	1876	4eb2be32690511a45844f521fa273dcb.exe	28
PID 1876 wrote to memory of 2356	1876	4eb2be32690511a45844f521fa273dcb.exe	28
PID 1876 wrote to memory of 2356	1876	4eb2be32690511a45844f521fa273dcb.exe	28
PID 1876 wrote to memory of 2356	1876	4eb2be32690511a45844f521fa273dcb.exe	28
PID 1876 wrote to memory of 2488	1876	4eb2be32690511a45844f521fa273dcb.exe	29
PID 1876 wrote to memory of 2488	1876	4eb2be32690511a45844f521fa273dcb.exe	29
PID 1876 wrote to memory of 2488	1876	4eb2be32690511a45844f521fa273dcb.exe	29
PID 1876 wrote to memory of 2488	1876	4eb2be32690511a45844f521fa273dcb.exe	29
PID 1876 wrote to memory of 2324	1876	4eb2be32690511a45844f521fa273dcb.exe	30
PID 1876 wrote to memory of 2324	1876	4eb2be32690511a45844f521fa273dcb.exe	30
PID 1876 wrote to memory of 2324	1876	4eb2be32690511a45844f521fa273dcb.exe	30
PID 1876 wrote to memory of 2324	1876	4eb2be32690511a45844f521fa273dcb.exe	30
PID 1876 wrote to memory of 2324	1876	4eb2be32690511a45844f521fa273dcb.exe	30
PID 1876 wrote to memory of 2324	1876	4eb2be32690511a45844f521fa273dcb.exe	30
PID 1876 wrote to memory of 2324	1876	4eb2be32690511a45844f521fa273dcb.exe	30
PID 2324 wrote to memory of 1760	2324	MSBuild.exe	31
PID 2324 wrote to memory of 1760	2324	MSBuild.exe	31
PID 2324 wrote to memory of 1760	2324	MSBuild.exe	31
PID 2324 wrote to memory of 1760	2324	MSBuild.exe	31

C:\Users\Admin\AppData\Local\Temp\4eb2be32690511a45844f521fa273dcb.exe
"C:\Users\Admin\AppData\Local\Temp\4eb2be32690511a45844f521fa273dcb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ExPNCaiSiiqAFP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE38C.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 36
    3⤵
    - Program crash
    PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE38C.tmp

Filesize
1KB

MD5
49d2708624f1883b71337c7c8d7638fd

SHA1
e0f6fc46f41ac2c2fb3684c897b602d60dc6ce00

SHA256
dee62aace3d0d2c9a1836a012b03aad1c330e2e5294eb5e8cafe550aa192e613

SHA512
dd882e8da9fedb09861e4c94fb770de1db87c30700208c62d66430d02a7177c1fd38fd9bc7bf05e2d0fa503e7cde612523ce33ddeb35579882be87831ef786f7

Download Submit
memory/1876-6-0x00000000057B0000-0x0000000005856000-memory.dmp

Filesize
664KB

Download
memory/1876-2-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1876-3-0x00000000004E0000-0x00000000004F8000-memory.dmp

Filesize
96KB

Download
memory/1876-4-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/1876-5-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1876-0-0x0000000000900000-0x00000000009D8000-memory.dmp

Filesize
864KB

Download
memory/1876-7-0x0000000000780000-0x00000000007B8000-memory.dmp

Filesize
224KB

Download
memory/1876-1-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/1876-18-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2324-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2324-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2324-16-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2324-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads