xloader | 768a13d336ce62e221c5228b84d9b98446f936ed9f29d0a7b281214cd7065617

General

Target

XXX00954345678LK.exe
Size

412KB
MD5

7efcc253b788f264320f6f7f3afbbaff
SHA1

5c25530ed2eb2dff34056aa855bd16e6aef9c3a9
SHA256

6fa43d41bcec83773fa6f333655029d886633b7a46153d9f7ffbe3c44de19be9
SHA512

aa410052ea52603c1ce87b4b696c62db540e0b903f618aa9384be09efd16c50acad654e8edd908b4724f8caa35e02cdaf125397d2a1c48acb305f7d4363d620e

Score

10^/10

xloader iaop loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

iaop

C2

http://www.georgeinnhatherleigh.com/iaop/

Decoy

oosakichi.com

group1beadles.com

navegadorexclusivo.digital

awefca.xyz

strakerwilliams.com

stone-img.com

radialodge.com

tequesquitengo.net

humanegardens.com

rubberyporqjp.xyz

farazkhak.com

gfsexpornvideos.com

stealth-carrier.com

hemtpi.xyz

tygcj.com

agileiance.com

ioan316.com

kitchendesigns.xyz

shannacarolphotography.com

oheytech88.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1192-117-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1192-118-0x000000000041D4E0-mapping.dmp	xloader
behavioral2/memory/1496-125-0x0000000002C10000-0x0000000002C39000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

XXX00954345678LK.exe

pid process

3740 XXX00954345678LK.exe

pid	process
3740	XXX00954345678LK.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

XXX00954345678LK.exeXXX00954345678LK.execmmon32.exe

description	pid	process	target process
PID 3740 set thread context of 1192	3740	XXX00954345678LK.exe	XXX00954345678LK.exe
PID 1192 set thread context of 2792	1192	XXX00954345678LK.exe	Explorer.EXE
PID 1496 set thread context of 2792	1496	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

XXX00954345678LK.execmmon32.exe

pid	process
1192	XXX00954345678LK.exe
1192	XXX00954345678LK.exe
1192	XXX00954345678LK.exe
1192	XXX00954345678LK.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe
1496	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2792 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

XXX00954345678LK.execmmon32.exe

pid process

1192 XXX00954345678LK.exe
1192 XXX00954345678LK.exe
1192 XXX00954345678LK.exe
1496 cmmon32.exe
1496 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

XXX00954345678LK.execmmon32.exe

description pid process

Token: SeDebugPrivilege 1192 XXX00954345678LK.exe
Token: SeDebugPrivilege 1496 cmmon32.exe

pid	process
2792	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1192	XXX00954345678LK.exe
Token: SeDebugPrivilege	1496	cmmon32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

XXX00954345678LK.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 3740 wrote to memory of 1192	3740	XXX00954345678LK.exe	XXX00954345678LK.exe
PID 3740 wrote to memory of 1192	3740	XXX00954345678LK.exe	XXX00954345678LK.exe
PID 3740 wrote to memory of 1192	3740	XXX00954345678LK.exe	XXX00954345678LK.exe
PID 3740 wrote to memory of 1192	3740	XXX00954345678LK.exe	XXX00954345678LK.exe
PID 3740 wrote to memory of 1192	3740	XXX00954345678LK.exe	XXX00954345678LK.exe
PID 3740 wrote to memory of 1192	3740	XXX00954345678LK.exe	XXX00954345678LK.exe
PID 2792 wrote to memory of 1496	2792	Explorer.EXE	cmmon32.exe
PID 2792 wrote to memory of 1496	2792	Explorer.EXE	cmmon32.exe
PID 2792 wrote to memory of 1496	2792	Explorer.EXE	cmmon32.exe
PID 1496 wrote to memory of 2300	1496	cmmon32.exe	cmd.exe
PID 1496 wrote to memory of 2300	1496	cmmon32.exe	cmd.exe
PID 1496 wrote to memory of 2300	1496	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2792

C:\Users\Admin\AppData\Local\Temp\XXX00954345678LK.exe
"C:\Users\Admin\AppData\Local\Temp\XXX00954345678LK.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3740

C:\Users\Admin\AppData\Local\Temp\XXX00954345678LK.exe
"C:\Users\Admin\AppData\Local\Temp\XXX00954345678LK.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\XXX00954345678LK.exe"
3⤵
PID:2300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsz4ED8.tmp\ghuvxtn.dll
MD5
17d74b485e249ed2769c1c7ff50ee44b

SHA1
776fb735a96320f814d6f511d0b2a9449c019725

SHA256
2a8a02db1d8e387f1318ec26d04aaa8bc823c78e6dd38b6692284189f0060938

SHA512
4eb12eba9c1ac50b3687998dd27eb68986b4e75ee3584c7264fc63f3104e9edfe5aeaf18a1bc74ac50cab982e8c0c8e06424e0ef44534b3b258ff730b7b153ae

Download Submit
memory/1192-117-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1192-118-0x000000000041D4E0-mapping.dmp

Download
memory/1192-121-0x00000000005D0000-0x00000000005E1000-memory.dmp

Filesize
68KB

Download
memory/1192-120-0x0000000000A60000-0x0000000000D80000-memory.dmp

Filesize
3.1MB

Download
memory/1496-123-0x0000000000000000-mapping.dmp

Download
memory/1496-124-0x0000000000220000-0x000000000022C000-memory.dmp

Filesize
48KB

Download
memory/1496-126-0x00000000044E0000-0x0000000004800000-memory.dmp

Filesize
3.1MB

Download
memory/1496-125-0x0000000002C10000-0x0000000002C39000-memory.dmp

Filesize
164KB

Download
memory/1496-128-0x0000000004340000-0x00000000043D0000-memory.dmp

Filesize
576KB

Download
memory/2300-127-0x0000000000000000-mapping.dmp

Download
memory/2792-122-0x0000000002D70000-0x0000000002E4A000-memory.dmp

Filesize
872KB

Download
memory/2792-129-0x0000000006E30000-0x0000000006F37000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads