xloader | b17b8be05fc8389990be623a727369826383bfc2fb33693943f208faa184ff40

General

Target

d0c7488tr739.exe
Size

253KB
MD5

326879d0158d92efc02be27a534e2af4
SHA1

f0a4055436bf4ab684f0ff38a0af2d87ef792069
SHA256

b17b8be05fc8389990be623a727369826383bfc2fb33693943f208faa184ff40
SHA512

950cc47ac43379abe7ba63de202543748d414969f48996e5e7082eaf79f27c9767980354c0483803881cbe88ccbee18a28037d04142274ff2aa14a394003a389

Score

10^/10

xloader u5eh loader persistence rat spyware stealer suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u5eh

C2

http://www.retonamoss.com/u5eh/

Decoy

tryafaq.com

bobcathntshop.com

oglead.com

026skz.xyz

brasbux.com

adna17.com

noveltyrofjiy.xyz

realestatecompanys.com

leman-web.com

df5686.com

jonathonhawkins.com

juliedominyfloralartistry.com

classyeventsco.com

aquaticatt.com

iotworld.xyz

hoc8.com

disposablediapers.store

peregovorim.online

advancebits.club

getaburialplan.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3976-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3976-117-0x000000000041D3E0-mapping.dmp	xloader
behavioral2/memory/3096-124-0x00000000006E0000-0x0000000000709000-memory.dmp	xloader
behavioral2/memory/1788-137-0x000000000041D3E0-mapping.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

servicesnbclm.exeservicesnbclm.exe

pid process

3216 servicesnbclm.exe
1788 servicesnbclm.exe
Loads dropped DLL 2 IoCs

Processes:

d0c7488tr739.exeservicesnbclm.exe

pid process

2492 d0c7488tr739.exe
3216 servicesnbclm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3216	servicesnbclm.exe
1788	servicesnbclm.exe

pid	process
2492	d0c7488tr739.exe
3216	servicesnbclm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

raserver.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	raserver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N8NHPJQ8X0 = "C:\\Program Files (x86)\\Alxyly0\\servicesnbclm.exe"	raserver.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

d0c7488tr739.exed0c7488tr739.exeraserver.exeservicesnbclm.exe

description	pid	process	target process
PID 2492 set thread context of 3976	2492	d0c7488tr739.exe	d0c7488tr739.exe
PID 3976 set thread context of 3036	3976	d0c7488tr739.exe	Explorer.EXE
PID 3096 set thread context of 3036	3096	raserver.exe	Explorer.EXE
PID 3216 set thread context of 1788	3216	servicesnbclm.exe	servicesnbclm.exe

Drops file in Program Files directory 4 IoCs

Processes:

raserver.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Alxyly0\servicesnbclm.exe	raserver.exe
File opened for modification	C:\Program Files (x86)\Alxyly0	Explorer.EXE
File created	C:\Program Files (x86)\Alxyly0\servicesnbclm.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Alxyly0\servicesnbclm.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\Alxyly0\servicesnbclm.exe	nsis_installer_1
C:\Program Files (x86)\Alxyly0\servicesnbclm.exe	nsis_installer_2
C:\Program Files (x86)\Alxyly0\servicesnbclm.exe	nsis_installer_1
C:\Program Files (x86)\Alxyly0\servicesnbclm.exe	nsis_installer_2
C:\Program Files (x86)\Alxyly0\servicesnbclm.exe	nsis_installer_1
C:\Program Files (x86)\Alxyly0\servicesnbclm.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

raserver.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

d0c7488tr739.exeraserver.exe

pid	process
3976	d0c7488tr739.exe
3976	d0c7488tr739.exe
3976	d0c7488tr739.exe
3976	d0c7488tr739.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe
3096	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3036 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

d0c7488tr739.exeraserver.exe

pid process

3976 d0c7488tr739.exe
3976 d0c7488tr739.exe
3976 d0c7488tr739.exe
3096 raserver.exe
3096 raserver.exe
3096 raserver.exe

pid	process
3036	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

d0c7488tr739.exeraserver.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3976	d0c7488tr739.exe
Token: SeDebugPrivilege	3096	raserver.exe
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

d0c7488tr739.exeExplorer.EXEraserver.exeservicesnbclm.exe

description	pid	process	target process
PID 2492 wrote to memory of 3976	2492	d0c7488tr739.exe	d0c7488tr739.exe
PID 2492 wrote to memory of 3976	2492	d0c7488tr739.exe	d0c7488tr739.exe
PID 2492 wrote to memory of 3976	2492	d0c7488tr739.exe	d0c7488tr739.exe
PID 2492 wrote to memory of 3976	2492	d0c7488tr739.exe	d0c7488tr739.exe
PID 2492 wrote to memory of 3976	2492	d0c7488tr739.exe	d0c7488tr739.exe
PID 2492 wrote to memory of 3976	2492	d0c7488tr739.exe	d0c7488tr739.exe
PID 3036 wrote to memory of 3096	3036	Explorer.EXE	raserver.exe
PID 3036 wrote to memory of 3096	3036	Explorer.EXE	raserver.exe
PID 3036 wrote to memory of 3096	3036	Explorer.EXE	raserver.exe
PID 3096 wrote to memory of 776	3096	raserver.exe	cmd.exe
PID 3096 wrote to memory of 776	3096	raserver.exe	cmd.exe
PID 3096 wrote to memory of 776	3096	raserver.exe	cmd.exe
PID 3096 wrote to memory of 1936	3096	raserver.exe	cmd.exe
PID 3096 wrote to memory of 1936	3096	raserver.exe	cmd.exe
PID 3096 wrote to memory of 1936	3096	raserver.exe	cmd.exe
PID 3096 wrote to memory of 3164	3096	raserver.exe	Firefox.exe
PID 3096 wrote to memory of 3164	3096	raserver.exe	Firefox.exe
PID 3036 wrote to memory of 3216	3036	Explorer.EXE	servicesnbclm.exe
PID 3036 wrote to memory of 3216	3036	Explorer.EXE	servicesnbclm.exe
PID 3036 wrote to memory of 3216	3036	Explorer.EXE	servicesnbclm.exe
PID 3216 wrote to memory of 1788	3216	servicesnbclm.exe	servicesnbclm.exe
PID 3216 wrote to memory of 1788	3216	servicesnbclm.exe	servicesnbclm.exe
PID 3216 wrote to memory of 1788	3216	servicesnbclm.exe	servicesnbclm.exe
PID 3216 wrote to memory of 1788	3216	servicesnbclm.exe	servicesnbclm.exe
PID 3216 wrote to memory of 1788	3216	servicesnbclm.exe	servicesnbclm.exe
PID 3216 wrote to memory of 1788	3216	servicesnbclm.exe	servicesnbclm.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\d0c7488tr739.exe
"C:\Users\Admin\AppData\Local\Temp\d0c7488tr739.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2492

C:\Users\Admin\AppData\Local\Temp\d0c7488tr739.exe
"C:\Users\Admin\AppData\Local\Temp\d0c7488tr739.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\d0c7488tr739.exe"
3⤵
PID:776

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:1936

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3164

C:\Program Files (x86)\Alxyly0\servicesnbclm.exe
"C:\Program Files (x86)\Alxyly0\servicesnbclm.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3216

C:\Program Files (x86)\Alxyly0\servicesnbclm.exe
"C:\Program Files (x86)\Alxyly0\servicesnbclm.exe"
3⤵
- Executes dropped EXE
PID:1788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Alxyly0\servicesnbclm.exe
MD5
326879d0158d92efc02be27a534e2af4

SHA1
f0a4055436bf4ab684f0ff38a0af2d87ef792069

SHA256
b17b8be05fc8389990be623a727369826383bfc2fb33693943f208faa184ff40

SHA512
950cc47ac43379abe7ba63de202543748d414969f48996e5e7082eaf79f27c9767980354c0483803881cbe88ccbee18a28037d04142274ff2aa14a394003a389

Download Submit
C:\Program Files (x86)\Alxyly0\servicesnbclm.exe
MD5
326879d0158d92efc02be27a534e2af4

SHA1
f0a4055436bf4ab684f0ff38a0af2d87ef792069

SHA256
b17b8be05fc8389990be623a727369826383bfc2fb33693943f208faa184ff40

SHA512
950cc47ac43379abe7ba63de202543748d414969f48996e5e7082eaf79f27c9767980354c0483803881cbe88ccbee18a28037d04142274ff2aa14a394003a389

Download Submit
C:\Program Files (x86)\Alxyly0\servicesnbclm.exe
MD5
326879d0158d92efc02be27a534e2af4

SHA1
f0a4055436bf4ab684f0ff38a0af2d87ef792069

SHA256
b17b8be05fc8389990be623a727369826383bfc2fb33693943f208faa184ff40

SHA512
950cc47ac43379abe7ba63de202543748d414969f48996e5e7082eaf79f27c9767980354c0483803881cbe88ccbee18a28037d04142274ff2aa14a394003a389

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoa8ol8ndaf34
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nswE855.tmp\jmmnbh.dll
MD5
3fe6933172cb97cd2f22413f795660ba

SHA1
1ee9dfeb2329eb108ec654db3e87f1e698e0e731

SHA256
f0ed5b1f290b36168d3cdce44b29a92dde64b558b350576431983f902fedeb8e

SHA512
e946a1b33031678108f325d4464b6fd6ff889cd397c2eb2e51347f0a9e33d3837ca2b020cfb9d34bd24ae7a4864b0549f2ab97fc560f39f00c0b82b17f054052

Download Submit
\Users\Admin\AppData\Local\Temp\nsxA3B4.tmp\jmmnbh.dll
MD5
3fe6933172cb97cd2f22413f795660ba

SHA1
1ee9dfeb2329eb108ec654db3e87f1e698e0e731

SHA256
f0ed5b1f290b36168d3cdce44b29a92dde64b558b350576431983f902fedeb8e

SHA512
e946a1b33031678108f325d4464b6fd6ff889cd397c2eb2e51347f0a9e33d3837ca2b020cfb9d34bd24ae7a4864b0549f2ab97fc560f39f00c0b82b17f054052

Download Submit
memory/776-125-0x0000000000000000-mapping.dmp

Download
memory/1788-137-0x000000000041D3E0-mapping.dmp

Download
memory/1936-129-0x0000000000000000-mapping.dmp

Download
memory/3036-128-0x0000000005EB0000-0x0000000005FBF000-memory.dmp

Filesize
1.1MB

Download
memory/3036-121-0x0000000005C20000-0x0000000005D9E000-memory.dmp

Filesize
1.5MB

Download
memory/3096-126-0x0000000004890000-0x0000000004BB0000-memory.dmp

Filesize
3.1MB

Download
memory/3096-127-0x0000000002CE0000-0x0000000002D70000-memory.dmp

Filesize
576KB

Download
memory/3096-124-0x00000000006E0000-0x0000000000709000-memory.dmp

Filesize
164KB

Download
memory/3096-123-0x0000000000870000-0x000000000088F000-memory.dmp

Filesize
124KB

Download
memory/3096-122-0x0000000000000000-mapping.dmp

Download
memory/3216-131-0x0000000000000000-mapping.dmp

Download
memory/3976-119-0x0000000000A80000-0x0000000000DA0000-memory.dmp

Filesize
3.1MB

Download
memory/3976-120-0x00000000004B0000-0x00000000005FA000-memory.dmp

Filesize
1.3MB

Download
memory/3976-117-0x000000000041D3E0-mapping.dmp

Download
memory/3976-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads