xloader | cc92a5217fc8672312221ff0c7e7e24fc466c94e47bd813545839052f4b71a30

General

Target

REE20212110575259OCT.exe
Size

498KB
MD5

9c00fc940483cff2a0f3f619db16ad54
SHA1

6f9c746d9cfb4e0bbf829783a82b883f7317b16b
SHA256

8a54e41751369783c64f56f30133b985933092324e9b2dad025641d23643280c
SHA512

30451538f9ed65159280a168c711056d7bc0776d0c30f1c82bfa4dfacfe4373c01f503004f1eacc1a690104f99bf7e78c61c5436261c0813508467ff5dd4ff21

Score

10^/10

xloader gab8 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

gab8

C2

http://www.purodetalle.com/gab8/

Decoy

amateurfeetworship.com

big-food.biz

metaversevolution.com

profecional-pacasmayo.com

royzoom.com

bekindevolution.com

hokozaki.com

waltersswholesale.com

wayfinderacu.com

schnurrgallery.com

babygearrentals.net

imggtoken.club

24x7x366.com

lakiernictwo.info

les-cours.com

dwticket.com

onarollshades.com

ramireztradepartners.com

safarparfums.com

6ngie.info

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1740-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1740-64-0x000000000041D3B0-mapping.dmp	xloader
behavioral1/memory/1740-73-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/956-80-0x0000000000090000-0x00000000000B9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1456 cmd.exe

pid	process
1456	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

REE20212110575259OCT.exeREE20212110575259OCT.exerundll32.exe

description	pid	process	target process
PID 1720 set thread context of 1740	1720	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 1740 set thread context of 1400	1740	REE20212110575259OCT.exe	Explorer.EXE
PID 1740 set thread context of 1400	1740	REE20212110575259OCT.exe	Explorer.EXE
PID 956 set thread context of 1400	956	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

REE20212110575259OCT.exepowershell.exerundll32.exe

pid	process
1740	REE20212110575259OCT.exe
568	powershell.exe
1740	REE20212110575259OCT.exe
1740	REE20212110575259OCT.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

REE20212110575259OCT.exerundll32.exe

pid	process
1740	REE20212110575259OCT.exe
1740	REE20212110575259OCT.exe
1740	REE20212110575259OCT.exe
1740	REE20212110575259OCT.exe
956	rundll32.exe
956	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

REE20212110575259OCT.exepowershell.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	1740	REE20212110575259OCT.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	956	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1400 Explorer.EXE
1400 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1400 Explorer.EXE
1400 Explorer.EXE

pid	process
1400	Explorer.EXE
1400	Explorer.EXE

pid	process
1400	Explorer.EXE
1400	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

REE20212110575259OCT.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 1720 wrote to memory of 568	1720	REE20212110575259OCT.exe	powershell.exe
PID 1720 wrote to memory of 568	1720	REE20212110575259OCT.exe	powershell.exe
PID 1720 wrote to memory of 568	1720	REE20212110575259OCT.exe	powershell.exe
PID 1720 wrote to memory of 568	1720	REE20212110575259OCT.exe	powershell.exe
PID 1720 wrote to memory of 1740	1720	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 1720 wrote to memory of 1740	1720	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 1720 wrote to memory of 1740	1720	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 1720 wrote to memory of 1740	1720	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 1720 wrote to memory of 1740	1720	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 1720 wrote to memory of 1740	1720	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 1720 wrote to memory of 1740	1720	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 1400 wrote to memory of 956	1400	Explorer.EXE	rundll32.exe
PID 1400 wrote to memory of 956	1400	Explorer.EXE	rundll32.exe
PID 1400 wrote to memory of 956	1400	Explorer.EXE	rundll32.exe
PID 1400 wrote to memory of 956	1400	Explorer.EXE	rundll32.exe
PID 1400 wrote to memory of 956	1400	Explorer.EXE	rundll32.exe
PID 1400 wrote to memory of 956	1400	Explorer.EXE	rundll32.exe
PID 1400 wrote to memory of 956	1400	Explorer.EXE	rundll32.exe
PID 956 wrote to memory of 1456	956	rundll32.exe	cmd.exe
PID 956 wrote to memory of 1456	956	rundll32.exe	cmd.exe
PID 956 wrote to memory of 1456	956	rundll32.exe	cmd.exe
PID 956 wrote to memory of 1456	956	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe
"C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe
"C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"
3⤵
- Deletes itself
PID:1456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/568-60-0x0000000000000000-mapping.dmp

Download
memory/568-70-0x0000000002482000-0x0000000002484000-memory.dmp

Filesize
8KB

Download
memory/568-67-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/568-68-0x0000000002481000-0x0000000002482000-memory.dmp

Filesize
4KB

Download
memory/956-80-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/956-79-0x0000000000720000-0x000000000072E000-memory.dmp

Filesize
56KB

Download
memory/956-76-0x0000000000000000-mapping.dmp

Download
memory/956-81-0x00000000021B0000-0x00000000024B3000-memory.dmp

Filesize
3.0MB

Download
memory/956-82-0x0000000001E50000-0x0000000001EE0000-memory.dmp

Filesize
576KB

Download
memory/1400-83-0x0000000008B10000-0x0000000008C0C000-memory.dmp

Filesize
1008KB

Download
memory/1400-75-0x0000000006A70000-0x0000000006BAD000-memory.dmp

Filesize
1.2MB

Download
memory/1400-72-0x0000000006950000-0x0000000006A65000-memory.dmp

Filesize
1.1MB

Download
memory/1456-78-0x0000000000000000-mapping.dmp

Download
memory/1720-58-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/1720-57-0x00000000004F0000-0x00000000004F7000-memory.dmp

Filesize
28KB

Download
memory/1720-56-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1720-59-0x0000000004E10000-0x0000000004E5B000-memory.dmp

Filesize
300KB

Download
memory/1720-54-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1740-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1740-74-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/1740-73-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1740-71-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/1740-69-0x00000000009C0000-0x0000000000CC3000-memory.dmp

Filesize
3.0MB

Download
memory/1740-64-0x000000000041D3B0-mapping.dmp

Download
memory/1740-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1740-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads