xloader | cc92a5217fc8672312221ff0c7e7e24fc466c94e47bd813545839052f4b71a30

General

Target

REE20212110575259OCT.exe
Size

498KB
MD5

9c00fc940483cff2a0f3f619db16ad54
SHA1

6f9c746d9cfb4e0bbf829783a82b883f7317b16b
SHA256

8a54e41751369783c64f56f30133b985933092324e9b2dad025641d23643280c
SHA512

30451538f9ed65159280a168c711056d7bc0776d0c30f1c82bfa4dfacfe4373c01f503004f1eacc1a690104f99bf7e78c61c5436261c0813508467ff5dd4ff21

Score

10^/10

xloader gab8 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

gab8

C2

http://www.purodetalle.com/gab8/

Decoy

amateurfeetworship.com

big-food.biz

metaversevolution.com

profecional-pacasmayo.com

royzoom.com

bekindevolution.com

hokozaki.com

waltersswholesale.com

wayfinderacu.com

schnurrgallery.com

babygearrentals.net

imggtoken.club

24x7x366.com

lakiernictwo.info

les-cours.com

dwticket.com

onarollshades.com

ramireztradepartners.com

safarparfums.com

6ngie.info

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4084-125-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4084-126-0x000000000041D3B0-mapping.dmp	xloader
behavioral2/memory/3428-171-0x0000000002870000-0x0000000002899000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

REE20212110575259OCT.exeREE20212110575259OCT.execmstp.exe

description	pid	process	target process
PID 2744 set thread context of 4084	2744	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 4084 set thread context of 2960	4084	REE20212110575259OCT.exe	Explorer.EXE
PID 3428 set thread context of 2960	3428	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

REE20212110575259OCT.exeREE20212110575259OCT.exepowershell.execmstp.exe

pid	process
2744	REE20212110575259OCT.exe
2744	REE20212110575259OCT.exe
4084	REE20212110575259OCT.exe
4084	REE20212110575259OCT.exe
4084	REE20212110575259OCT.exe
4084	REE20212110575259OCT.exe
700	powershell.exe
700	powershell.exe
700	powershell.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe
3428	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2960 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

REE20212110575259OCT.execmstp.exe

pid process

4084 REE20212110575259OCT.exe
4084 REE20212110575259OCT.exe
4084 REE20212110575259OCT.exe
3428 cmstp.exe
3428 cmstp.exe

pid	process
2960	Explorer.EXE

pid	process
4084	REE20212110575259OCT.exe
4084	REE20212110575259OCT.exe
4084	REE20212110575259OCT.exe
3428	cmstp.exe
3428	cmstp.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

REE20212110575259OCT.exeREE20212110575259OCT.exepowershell.execmstp.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2744	REE20212110575259OCT.exe
Token: SeDebugPrivilege	4084	REE20212110575259OCT.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	3428	cmstp.exe
Token: SeShutdownPrivilege	2960	Explorer.EXE
Token: SeCreatePagefilePrivilege	2960	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

REE20212110575259OCT.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 2744 wrote to memory of 700	2744	REE20212110575259OCT.exe	powershell.exe
PID 2744 wrote to memory of 700	2744	REE20212110575259OCT.exe	powershell.exe
PID 2744 wrote to memory of 700	2744	REE20212110575259OCT.exe	powershell.exe
PID 2744 wrote to memory of 3248	2744	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 2744 wrote to memory of 3248	2744	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 2744 wrote to memory of 3248	2744	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 2744 wrote to memory of 4084	2744	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 2744 wrote to memory of 4084	2744	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 2744 wrote to memory of 4084	2744	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 2744 wrote to memory of 4084	2744	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 2744 wrote to memory of 4084	2744	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 2744 wrote to memory of 4084	2744	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 2960 wrote to memory of 3428	2960	Explorer.EXE	cmstp.exe
PID 2960 wrote to memory of 3428	2960	Explorer.EXE	cmstp.exe
PID 2960 wrote to memory of 3428	2960	Explorer.EXE	cmstp.exe
PID 3428 wrote to memory of 708	3428	cmstp.exe	cmd.exe
PID 3428 wrote to memory of 708	3428	cmstp.exe	cmd.exe
PID 3428 wrote to memory of 708	3428	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe
"C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe
"C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"
3⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe
"C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"
3⤵
PID:708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/700-159-0x0000000009160000-0x0000000009161000-memory.dmp

Filesize
4KB

Download
memory/700-164-0x00000000092B0000-0x00000000092B1000-memory.dmp

Filesize
4KB

Download
memory/700-173-0x0000000006AA3000-0x0000000006AA4000-memory.dmp

Filesize
4KB

Download
memory/700-137-0x0000000007740000-0x0000000007741000-memory.dmp

Filesize
4KB

Download
memory/700-167-0x000000007E920000-0x000000007E921000-memory.dmp

Filesize
4KB

Download
memory/700-139-0x0000000007A30000-0x0000000007A31000-memory.dmp

Filesize
4KB

Download
memory/700-166-0x00000000094A0000-0x00000000094A1000-memory.dmp

Filesize
4KB

Download
memory/700-138-0x00000000077E0000-0x00000000077E1000-memory.dmp

Filesize
4KB

Download
memory/700-124-0x0000000000000000-mapping.dmp

Download
memory/700-152-0x0000000009180000-0x00000000091B3000-memory.dmp

Filesize
204KB

Download
memory/700-144-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/700-127-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/700-128-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/700-129-0x0000000006A10000-0x0000000006A11000-memory.dmp

Filesize
4KB

Download
memory/700-130-0x00000000070E0000-0x00000000070E1000-memory.dmp

Filesize
4KB

Download
memory/700-133-0x0000000006AA2000-0x0000000006AA3000-memory.dmp

Filesize
4KB

Download
memory/700-143-0x00000000081B0000-0x00000000081B1000-memory.dmp

Filesize
4KB

Download
memory/700-132-0x0000000006AA0000-0x0000000006AA1000-memory.dmp

Filesize
4KB

Download
memory/700-142-0x0000000007F10000-0x0000000007F11000-memory.dmp

Filesize
4KB

Download
memory/700-141-0x00000000079D0000-0x00000000079D1000-memory.dmp

Filesize
4KB

Download
memory/700-140-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/708-165-0x0000000000000000-mapping.dmp

Download
memory/2744-119-0x0000000005630000-0x0000000005B2E000-memory.dmp

Filesize
5.0MB

Download
memory/2744-115-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/2744-117-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/2744-118-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/2744-123-0x0000000006480000-0x00000000064CB000-memory.dmp

Filesize
300KB

Download
memory/2744-120-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/2744-121-0x0000000005990000-0x0000000005997000-memory.dmp

Filesize
28KB

Download
memory/2744-122-0x00000000064D0000-0x00000000064D1000-memory.dmp

Filesize
4KB

Download
memory/2960-386-0x0000000003320000-0x00000000033E9000-memory.dmp

Filesize
804KB

Download
memory/2960-134-0x0000000005990000-0x0000000005AC8000-memory.dmp

Filesize
1.2MB

Download
memory/3428-171-0x0000000002870000-0x0000000002899000-memory.dmp

Filesize
164KB

Download
memory/3428-169-0x00000000000B0000-0x00000000000C6000-memory.dmp

Filesize
88KB

Download
memory/3428-148-0x0000000000000000-mapping.dmp

Download
memory/3428-172-0x0000000004480000-0x00000000047A0000-memory.dmp

Filesize
3.1MB

Download
memory/3428-385-0x00000000041D0000-0x0000000004260000-memory.dmp

Filesize
576KB

Download
memory/4084-136-0x0000000001300000-0x0000000001311000-memory.dmp

Filesize
68KB

Download
memory/4084-125-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4084-126-0x000000000041D3B0-mapping.dmp

Download
memory/4084-135-0x00000000015C0000-0x00000000018E0000-memory.dmp

Filesize
3.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads