xloader | a8dd512305c64cc4bb8d456844e1a02defb4d3a012888de8b87b4c8ea58bb3b4

General

Target

MO_2580986754.exe
Size

251KB
MD5

b061f3cb09185ba712407645f423f4b1
SHA1

0c3cd8e82548c76e841be16d9ef1e37b6abc4b8f
SHA256

a8dd512305c64cc4bb8d456844e1a02defb4d3a012888de8b87b4c8ea58bb3b4
SHA512

0a03b535891be17d7fe3c0e9be95eba0a58540cba44a557cddaaca6b9231707431b49bcee667cf458699c9c06dd88fac511a868bce7d48102320721c654e43fc

Score

10^/10

xloader u5eh loader persistence rat spyware stealer suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u5eh

C2

http://www.retonamoss.com/u5eh/

Decoy

tryafaq.com

bobcathntshop.com

oglead.com

026skz.xyz

brasbux.com

adna17.com

noveltyrofjiy.xyz

realestatecompanys.com

leman-web.com

df5686.com

jonathonhawkins.com

juliedominyfloralartistry.com

classyeventsco.com

aquaticatt.com

iotworld.xyz

hoc8.com

disposablediapers.store

peregovorim.online

advancebits.club

getaburialplan.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/568-57-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/568-58-0x000000000041D3E0-mapping.dmp	xloader
behavioral1/memory/828-67-0x00000000000E0000-0x0000000000109000-memory.dmp	xloader
behavioral1/memory/1716-78-0x000000000041D3E0-mapping.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

certmgr7nj88v.execertmgr7nj88v.exe

pid process

1000 certmgr7nj88v.exe
1716 certmgr7nj88v.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

680 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

MO_2580986754.execertmgr7nj88v.exe

pid process

1100 MO_2580986754.exe
1000 certmgr7nj88v.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1000	certmgr7nj88v.exe
1716	certmgr7nj88v.exe

pid	process
680	cmd.exe

pid	process
1100	MO_2580986754.exe
1000	certmgr7nj88v.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cmstp.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	cmstp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\K62XCZYPTH_ = "C:\\Program Files (x86)\\Nzv14x\\certmgr7nj88v.exe"	cmstp.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

MO_2580986754.exeMO_2580986754.execmstp.execertmgr7nj88v.exe

description	pid	process	target process
PID 1100 set thread context of 568	1100	MO_2580986754.exe	MO_2580986754.exe
PID 568 set thread context of 1260	568	MO_2580986754.exe	Explorer.EXE
PID 828 set thread context of 1260	828	cmstp.exe	Explorer.EXE
PID 1000 set thread context of 1716	1000	certmgr7nj88v.exe	certmgr7nj88v.exe

Drops file in Program Files directory 2 IoCs

Processes:

cmstp.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Nzv14x\certmgr7nj88v.exe	cmstp.exe
File created	C:\Program Files (x86)\Nzv14x\certmgr7nj88v.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\Nzv14x\certmgr7nj88v.exe	nsis_installer_1
C:\Program Files (x86)\Nzv14x\certmgr7nj88v.exe	nsis_installer_2
C:\Program Files (x86)\Nzv14x\certmgr7nj88v.exe	nsis_installer_1
C:\Program Files (x86)\Nzv14x\certmgr7nj88v.exe	nsis_installer_2
C:\Program Files (x86)\Nzv14x\certmgr7nj88v.exe	nsis_installer_1
C:\Program Files (x86)\Nzv14x\certmgr7nj88v.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmstp.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2955169046-2371869340-1800780948-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

MO_2580986754.execmstp.execertmgr7nj88v.exe

pid	process
568	MO_2580986754.exe
568	MO_2580986754.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
1716	certmgr7nj88v.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe
828	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

MO_2580986754.execmstp.exe

pid process

568 MO_2580986754.exe
568 MO_2580986754.exe
568 MO_2580986754.exe
828 cmstp.exe
828 cmstp.exe
828 cmstp.exe
828 cmstp.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

MO_2580986754.execmstp.execertmgr7nj88v.exe

description pid process

Token: SeDebugPrivilege 568 MO_2580986754.exe
Token: SeDebugPrivilege 828 cmstp.exe
Token: SeDebugPrivilege 1716 certmgr7nj88v.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE
1260 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE
1260 Explorer.EXE

pid	process
1260	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	568	MO_2580986754.exe
Token: SeDebugPrivilege	828	cmstp.exe
Token: SeDebugPrivilege	1716	certmgr7nj88v.exe

pid	process
1260	Explorer.EXE
1260	Explorer.EXE

pid	process
1260	Explorer.EXE
1260	Explorer.EXE

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

MO_2580986754.exeExplorer.EXEcmstp.execertmgr7nj88v.exe

description	pid	process	target process
PID 1100 wrote to memory of 568	1100	MO_2580986754.exe	MO_2580986754.exe
PID 1100 wrote to memory of 568	1100	MO_2580986754.exe	MO_2580986754.exe
PID 1100 wrote to memory of 568	1100	MO_2580986754.exe	MO_2580986754.exe
PID 1100 wrote to memory of 568	1100	MO_2580986754.exe	MO_2580986754.exe
PID 1100 wrote to memory of 568	1100	MO_2580986754.exe	MO_2580986754.exe
PID 1100 wrote to memory of 568	1100	MO_2580986754.exe	MO_2580986754.exe
PID 1100 wrote to memory of 568	1100	MO_2580986754.exe	MO_2580986754.exe
PID 1260 wrote to memory of 828	1260	Explorer.EXE	cmstp.exe
PID 1260 wrote to memory of 828	1260	Explorer.EXE	cmstp.exe
PID 1260 wrote to memory of 828	1260	Explorer.EXE	cmstp.exe
PID 1260 wrote to memory of 828	1260	Explorer.EXE	cmstp.exe
PID 1260 wrote to memory of 828	1260	Explorer.EXE	cmstp.exe
PID 1260 wrote to memory of 828	1260	Explorer.EXE	cmstp.exe
PID 1260 wrote to memory of 828	1260	Explorer.EXE	cmstp.exe
PID 828 wrote to memory of 680	828	cmstp.exe	cmd.exe
PID 828 wrote to memory of 680	828	cmstp.exe	cmd.exe
PID 828 wrote to memory of 680	828	cmstp.exe	cmd.exe
PID 828 wrote to memory of 680	828	cmstp.exe	cmd.exe
PID 828 wrote to memory of 1820	828	cmstp.exe	Firefox.exe
PID 828 wrote to memory of 1820	828	cmstp.exe	Firefox.exe
PID 828 wrote to memory of 1820	828	cmstp.exe	Firefox.exe
PID 828 wrote to memory of 1820	828	cmstp.exe	Firefox.exe
PID 1260 wrote to memory of 1000	1260	Explorer.EXE	certmgr7nj88v.exe
PID 1260 wrote to memory of 1000	1260	Explorer.EXE	certmgr7nj88v.exe
PID 1260 wrote to memory of 1000	1260	Explorer.EXE	certmgr7nj88v.exe
PID 1260 wrote to memory of 1000	1260	Explorer.EXE	certmgr7nj88v.exe
PID 1000 wrote to memory of 1716	1000	certmgr7nj88v.exe	certmgr7nj88v.exe
PID 1000 wrote to memory of 1716	1000	certmgr7nj88v.exe	certmgr7nj88v.exe
PID 1000 wrote to memory of 1716	1000	certmgr7nj88v.exe	certmgr7nj88v.exe
PID 1000 wrote to memory of 1716	1000	certmgr7nj88v.exe	certmgr7nj88v.exe
PID 1000 wrote to memory of 1716	1000	certmgr7nj88v.exe	certmgr7nj88v.exe
PID 1000 wrote to memory of 1716	1000	certmgr7nj88v.exe	certmgr7nj88v.exe
PID 1000 wrote to memory of 1716	1000	certmgr7nj88v.exe	certmgr7nj88v.exe
PID 828 wrote to memory of 1820	828	cmstp.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\MO_2580986754.exe
"C:\Users\Admin\AppData\Local\Temp\MO_2580986754.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\MO_2580986754.exe
"C:\Users\Admin\AppData\Local\Temp\MO_2580986754.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\MO_2580986754.exe"
3⤵
- Deletes itself
PID:680

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1820

C:\Program Files (x86)\Nzv14x\certmgr7nj88v.exe
"C:\Program Files (x86)\Nzv14x\certmgr7nj88v.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1000

C:\Program Files (x86)\Nzv14x\certmgr7nj88v.exe
"C:\Program Files (x86)\Nzv14x\certmgr7nj88v.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Nzv14x\certmgr7nj88v.exe
MD5
b061f3cb09185ba712407645f423f4b1

SHA1
0c3cd8e82548c76e841be16d9ef1e37b6abc4b8f

SHA256
a8dd512305c64cc4bb8d456844e1a02defb4d3a012888de8b87b4c8ea58bb3b4

SHA512
0a03b535891be17d7fe3c0e9be95eba0a58540cba44a557cddaaca6b9231707431b49bcee667cf458699c9c06dd88fac511a868bce7d48102320721c654e43fc

Download Submit
C:\Program Files (x86)\Nzv14x\certmgr7nj88v.exe
MD5
b061f3cb09185ba712407645f423f4b1

SHA1
0c3cd8e82548c76e841be16d9ef1e37b6abc4b8f

SHA256
a8dd512305c64cc4bb8d456844e1a02defb4d3a012888de8b87b4c8ea58bb3b4

SHA512
0a03b535891be17d7fe3c0e9be95eba0a58540cba44a557cddaaca6b9231707431b49bcee667cf458699c9c06dd88fac511a868bce7d48102320721c654e43fc

Download Submit
C:\Program Files (x86)\Nzv14x\certmgr7nj88v.exe
MD5
b061f3cb09185ba712407645f423f4b1

SHA1
0c3cd8e82548c76e841be16d9ef1e37b6abc4b8f

SHA256
a8dd512305c64cc4bb8d456844e1a02defb4d3a012888de8b87b4c8ea58bb3b4

SHA512
0a03b535891be17d7fe3c0e9be95eba0a58540cba44a557cddaaca6b9231707431b49bcee667cf458699c9c06dd88fac511a868bce7d48102320721c654e43fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jzi1up9hjt7ym07nh
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nstBD28.tmp\uwrccjlozps.dll
MD5
fbe1297387ed82513628ea53759fa97f

SHA1
95a8bb562f6b5c36ef1c938723c10fbfa5ae3a63

SHA256
7330257789e2ac84f5af036ccbe203e417bd6d17a731b11914c2cb4a046fcee9

SHA512
6273619cdaaab4ab1f78f0822b5949a250a68e4f82fa142178844edbf6c3b7e4cf90cf39a493d9c60ef0ae8bad02bfe76d71b26dd30ec794c129f8773122b73d

Download Submit
\Users\Admin\AppData\Local\Temp\nstF816.tmp\uwrccjlozps.dll
MD5
fbe1297387ed82513628ea53759fa97f

SHA1
95a8bb562f6b5c36ef1c938723c10fbfa5ae3a63

SHA256
7330257789e2ac84f5af036ccbe203e417bd6d17a731b11914c2cb4a046fcee9

SHA512
6273619cdaaab4ab1f78f0822b5949a250a68e4f82fa142178844edbf6c3b7e4cf90cf39a493d9c60ef0ae8bad02bfe76d71b26dd30ec794c129f8773122b73d

Download Submit
memory/568-61-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/568-60-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/568-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/568-58-0x000000000041D3E0-mapping.dmp

Download
memory/680-65-0x0000000000000000-mapping.dmp

Download
memory/828-66-0x0000000000290000-0x00000000002A8000-memory.dmp

Filesize
96KB

Download
memory/828-67-0x00000000000E0000-0x0000000000109000-memory.dmp

Filesize
164KB

Download
memory/828-68-0x0000000001F90000-0x0000000002293000-memory.dmp

Filesize
3.0MB

Download
memory/828-69-0x0000000001D50000-0x0000000001DE0000-memory.dmp

Filesize
576KB

Download
memory/828-63-0x0000000000000000-mapping.dmp

Download
memory/1000-71-0x0000000000000000-mapping.dmp

Download
memory/1100-55-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1260-62-0x00000000067E0000-0x00000000068E0000-memory.dmp

Filesize
1024KB

Download
memory/1260-70-0x0000000006B10000-0x0000000006C51000-memory.dmp

Filesize
1.3MB

Download
memory/1716-78-0x000000000041D3E0-mapping.dmp

Download
memory/1716-80-0x0000000000950000-0x0000000000C53000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads