xloader | dae6ba220bb0a34de731b57965753391343bfe96f9f3fa4fea48102d3377ccf7

General

Target

PRICE_REQUEST_QUOTATION.exe
Size

260KB
MD5

85589170af713a03ca622f94429c634a
SHA1

4e0b9dfd13dd6e4b85bca4352be0cec2be9024d7
SHA256

dae6ba220bb0a34de731b57965753391343bfe96f9f3fa4fea48102d3377ccf7
SHA512

1379d1dbed880c664d7314018e676970afd192a423e6144f3bac6b15e5f89fb4bc245adbe462046ccfb6692e0054be18b459bc2757e60d700c03758232682dd9

Score

10^/10

xloader rgoe loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

rgoe

C2

http://www.nudesalon.digital/rgoe/

Decoy

iamstevekelsey.com

homesofchaparralcountryclub.com

voiceyupcom.com

searchengineeye.com

charsantosart.com

baila.madrid

yota.store

halloweenbaldhills.net

futurodr.com

centercodebase.com

666b20.xyz

4-6-2.com

gspotworld.com

rbb78.com

1kingbet.com

hzhongon.com

dossierinc.com

sustainablefoodfactory.com

golfsol.art

socialenterprisestudio.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1212-115-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1212-116-0x000000000041D470-mapping.dmp	xloader
behavioral2/memory/1340-123-0x0000000000630000-0x0000000000659000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

PRICE_REQUEST_QUOTATION.exe

pid process

856 PRICE_REQUEST_QUOTATION.exe

pid	process
856	PRICE_REQUEST_QUOTATION.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

PRICE_REQUEST_QUOTATION.exePRICE_REQUEST_QUOTATION.exeexplorer.exe

description	pid	process	target process
PID 856 set thread context of 1212	856	PRICE_REQUEST_QUOTATION.exe	PRICE_REQUEST_QUOTATION.exe
PID 1212 set thread context of 2740	1212	PRICE_REQUEST_QUOTATION.exe	Explorer.EXE
PID 1340 set thread context of 2740	1340	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

PRICE_REQUEST_QUOTATION.exeexplorer.exe

pid	process
1212	PRICE_REQUEST_QUOTATION.exe
1212	PRICE_REQUEST_QUOTATION.exe
1212	PRICE_REQUEST_QUOTATION.exe
1212	PRICE_REQUEST_QUOTATION.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe
1340	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2740 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PRICE_REQUEST_QUOTATION.exeexplorer.exe

pid process

1212 PRICE_REQUEST_QUOTATION.exe
1212 PRICE_REQUEST_QUOTATION.exe
1212 PRICE_REQUEST_QUOTATION.exe
1340 explorer.exe
1340 explorer.exe

pid	process
2740	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

PRICE_REQUEST_QUOTATION.exeexplorer.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1212	PRICE_REQUEST_QUOTATION.exe
Token: SeDebugPrivilege	1340	explorer.exe
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

2740 Explorer.EXE
2740 Explorer.EXE
2740 Explorer.EXE
2740 Explorer.EXE

pid	process
2740	Explorer.EXE
2740	Explorer.EXE
2740	Explorer.EXE
2740	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PRICE_REQUEST_QUOTATION.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 856 wrote to memory of 1212	856	PRICE_REQUEST_QUOTATION.exe	PRICE_REQUEST_QUOTATION.exe
PID 856 wrote to memory of 1212	856	PRICE_REQUEST_QUOTATION.exe	PRICE_REQUEST_QUOTATION.exe
PID 856 wrote to memory of 1212	856	PRICE_REQUEST_QUOTATION.exe	PRICE_REQUEST_QUOTATION.exe
PID 856 wrote to memory of 1212	856	PRICE_REQUEST_QUOTATION.exe	PRICE_REQUEST_QUOTATION.exe
PID 856 wrote to memory of 1212	856	PRICE_REQUEST_QUOTATION.exe	PRICE_REQUEST_QUOTATION.exe
PID 856 wrote to memory of 1212	856	PRICE_REQUEST_QUOTATION.exe	PRICE_REQUEST_QUOTATION.exe
PID 2740 wrote to memory of 1340	2740	Explorer.EXE	explorer.exe
PID 2740 wrote to memory of 1340	2740	Explorer.EXE	explorer.exe
PID 2740 wrote to memory of 1340	2740	Explorer.EXE	explorer.exe
PID 1340 wrote to memory of 1532	1340	explorer.exe	cmd.exe
PID 1340 wrote to memory of 1532	1340	explorer.exe	cmd.exe
PID 1340 wrote to memory of 1532	1340	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2740

C:\Users\Admin\AppData\Local\Temp\PRICE_REQUEST_QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\PRICE_REQUEST_QUOTATION.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\PRICE_REQUEST_QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\PRICE_REQUEST_QUOTATION.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PRICE_REQUEST_QUOTATION.exe"
3⤵
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsq7182.tmp\akepwc.dll
MD5
0560ba80e8afe7f5d83eb600602ab426

SHA1
a783f03bc76ee70833d61d69d854674f45d5a223

SHA256
19013d7428a659774231fd4b5213a463eeab58a0c347dadfaa95536bd89d3f13

SHA512
a034974dc569db8064b9bc5699e33b188c581e716862fed95708a1b2caaccaa6ae8ee4f4f23989c68ef838ea71271423501b6aea27a9c216af9db9745356b12c

Download Submit
memory/1212-115-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1212-116-0x000000000041D470-mapping.dmp

Download
memory/1212-118-0x0000000000E50000-0x0000000000E61000-memory.dmp

Filesize
68KB

Download
memory/1212-117-0x0000000000990000-0x0000000000CB0000-memory.dmp

Filesize
3.1MB

Download
memory/1340-120-0x0000000000000000-mapping.dmp

Download
memory/1340-122-0x0000000000A10000-0x0000000000E4F000-memory.dmp

Filesize
4.2MB

Download
memory/1340-123-0x0000000000630000-0x0000000000659000-memory.dmp

Filesize
164KB

Download
memory/1340-124-0x0000000004A60000-0x0000000004D80000-memory.dmp

Filesize
3.1MB

Download
memory/1340-125-0x00000000048C0000-0x0000000004950000-memory.dmp

Filesize
576KB

Download
memory/1532-121-0x0000000000000000-mapping.dmp

Download
memory/2740-119-0x0000000007360000-0x00000000074AB000-memory.dmp

Filesize
1.3MB

Download
memory/2740-126-0x0000000006880000-0x000000000698E000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads