xloader | cc92a5217fc8672312221ff0c7e7e24fc466c94e47bd813545839052f4b71a30

General

Target

REE20212110575259OCT.exe
Size

498KB
MD5

9c00fc940483cff2a0f3f619db16ad54
SHA1

6f9c746d9cfb4e0bbf829783a82b883f7317b16b
SHA256

8a54e41751369783c64f56f30133b985933092324e9b2dad025641d23643280c
SHA512

30451538f9ed65159280a168c711056d7bc0776d0c30f1c82bfa4dfacfe4373c01f503004f1eacc1a690104f99bf7e78c61c5436261c0813508467ff5dd4ff21

Score

10^/10

xloader gab8 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

gab8

C2

http://www.purodetalle.com/gab8/

Decoy

amateurfeetworship.com

big-food.biz

metaversevolution.com

profecional-pacasmayo.com

royzoom.com

bekindevolution.com

hokozaki.com

waltersswholesale.com

wayfinderacu.com

schnurrgallery.com

babygearrentals.net

imggtoken.club

24x7x366.com

lakiernictwo.info

les-cours.com

dwticket.com

onarollshades.com

ramireztradepartners.com

safarparfums.com

6ngie.info

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral6/memory/1356-128-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral6/memory/1356-129-0x000000000041D3B0-mapping.dmp	xloader
behavioral6/memory/1376-151-0x0000000002A00000-0x0000000002A29000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

REE20212110575259OCT.exeREE20212110575259OCT.execolorcpl.exe

description	pid	process	target process
PID 3752 set thread context of 1356	3752	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 1356 set thread context of 2648	1356	REE20212110575259OCT.exe	Explorer.EXE
PID 1376 set thread context of 2648	1376	colorcpl.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

REE20212110575259OCT.exeREE20212110575259OCT.exepowershell.execolorcpl.exe

pid	process
3752	REE20212110575259OCT.exe
3752	REE20212110575259OCT.exe
1356	REE20212110575259OCT.exe
1356	REE20212110575259OCT.exe
740	powershell.exe
1356	REE20212110575259OCT.exe
1356	REE20212110575259OCT.exe
740	powershell.exe
740	powershell.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe
1376	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2648 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

REE20212110575259OCT.execolorcpl.exe

pid process

1356 REE20212110575259OCT.exe
1356 REE20212110575259OCT.exe
1356 REE20212110575259OCT.exe
1376 colorcpl.exe
1376 colorcpl.exe

pid	process
2648	Explorer.EXE

pid	process
1356	REE20212110575259OCT.exe
1356	REE20212110575259OCT.exe
1356	REE20212110575259OCT.exe
1376	colorcpl.exe
1376	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

REE20212110575259OCT.exeREE20212110575259OCT.exepowershell.execolorcpl.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3752	REE20212110575259OCT.exe
Token: SeDebugPrivilege	1356	REE20212110575259OCT.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	1376	colorcpl.exe
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

REE20212110575259OCT.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 3752 wrote to memory of 740	3752	REE20212110575259OCT.exe	powershell.exe
PID 3752 wrote to memory of 740	3752	REE20212110575259OCT.exe	powershell.exe
PID 3752 wrote to memory of 740	3752	REE20212110575259OCT.exe	powershell.exe
PID 3752 wrote to memory of 1768	3752	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 3752 wrote to memory of 1768	3752	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 3752 wrote to memory of 1768	3752	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 3752 wrote to memory of 1356	3752	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 3752 wrote to memory of 1356	3752	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 3752 wrote to memory of 1356	3752	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 3752 wrote to memory of 1356	3752	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 3752 wrote to memory of 1356	3752	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 3752 wrote to memory of 1356	3752	REE20212110575259OCT.exe	REE20212110575259OCT.exe
PID 2648 wrote to memory of 1376	2648	Explorer.EXE	colorcpl.exe
PID 2648 wrote to memory of 1376	2648	Explorer.EXE	colorcpl.exe
PID 2648 wrote to memory of 1376	2648	Explorer.EXE	colorcpl.exe
PID 1376 wrote to memory of 2044	1376	colorcpl.exe	cmd.exe
PID 1376 wrote to memory of 2044	1376	colorcpl.exe	cmd.exe
PID 1376 wrote to memory of 2044	1376	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe
"C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe
"C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"
3⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe
"C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2580

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"
3⤵
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/740-145-0x00000000080C0000-0x00000000080C1000-memory.dmp

Filesize
4KB

Download
memory/740-171-0x000000007F200000-0x000000007F201000-memory.dmp

Filesize
4KB

Download
memory/740-144-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download
memory/740-131-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/740-130-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/740-166-0x0000000008DB0000-0x0000000008DB1000-memory.dmp

Filesize
4KB

Download
memory/740-159-0x0000000008DD0000-0x0000000008E03000-memory.dmp

Filesize
204KB

Download
memory/740-148-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/740-127-0x0000000000000000-mapping.dmp

Download
memory/740-146-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

Filesize
4KB

Download
memory/740-173-0x00000000092F0000-0x00000000092F1000-memory.dmp

Filesize
4KB

Download
memory/740-189-0x0000000006B43000-0x0000000006B44000-memory.dmp

Filesize
4KB

Download
memory/740-172-0x0000000008F00000-0x0000000008F01000-memory.dmp

Filesize
4KB

Download
memory/740-132-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download
memory/740-133-0x0000000007180000-0x0000000007181000-memory.dmp

Filesize
4KB

Download
memory/740-134-0x0000000006F80000-0x0000000006F81000-memory.dmp

Filesize
4KB

Download
memory/740-135-0x0000000007100000-0x0000000007101000-memory.dmp

Filesize
4KB

Download
memory/740-136-0x0000000007030000-0x0000000007031000-memory.dmp

Filesize
4KB

Download
memory/740-138-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/740-139-0x0000000006B40000-0x0000000006B41000-memory.dmp

Filesize
4KB

Download
memory/740-140-0x0000000006B42000-0x0000000006B43000-memory.dmp

Filesize
4KB

Download
memory/1356-129-0x000000000041D3B0-mapping.dmp

Download
memory/1356-128-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1356-142-0x0000000001520000-0x000000000166A000-memory.dmp

Filesize
1.3MB

Download
memory/1356-141-0x0000000001A30000-0x0000000001D50000-memory.dmp

Filesize
3.1MB

Download
memory/1376-150-0x00000000000D0000-0x00000000000E9000-memory.dmp

Filesize
100KB

Download
memory/1376-153-0x00000000042E0000-0x0000000004600000-memory.dmp

Filesize
3.1MB

Download
memory/1376-147-0x0000000000000000-mapping.dmp

Download
memory/1376-351-0x00000000041D0000-0x0000000004260000-memory.dmp

Filesize
576KB

Download
memory/1376-151-0x0000000002A00000-0x0000000002A29000-memory.dmp

Filesize
164KB

Download
memory/2044-152-0x0000000000000000-mapping.dmp

Download
memory/2648-143-0x0000000006740000-0x00000000068B7000-memory.dmp

Filesize
1.5MB

Download
memory/2648-352-0x0000000002950000-0x00000000029FA000-memory.dmp

Filesize
680KB

Download
memory/3752-118-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/3752-125-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/3752-124-0x0000000004B60000-0x0000000004B67000-memory.dmp

Filesize
28KB

Download
memory/3752-123-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/3752-122-0x0000000004AA0000-0x0000000004F9E000-memory.dmp

Filesize
5.0MB

Download
memory/3752-121-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/3752-120-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3752-126-0x0000000005730000-0x000000000577B000-memory.dmp

Filesize
300KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads