xloader | a8dd512305c64cc4bb8d456844e1a02defb4d3a012888de8b87b4c8ea58bb3b4

General

Target

MO_2580986754.exe
Size

251KB
MD5

b061f3cb09185ba712407645f423f4b1
SHA1

0c3cd8e82548c76e841be16d9ef1e37b6abc4b8f
SHA256

a8dd512305c64cc4bb8d456844e1a02defb4d3a012888de8b87b4c8ea58bb3b4
SHA512

0a03b535891be17d7fe3c0e9be95eba0a58540cba44a557cddaaca6b9231707431b49bcee667cf458699c9c06dd88fac511a868bce7d48102320721c654e43fc

Score

10^/10

xloader u5eh loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u5eh

C2

http://www.retonamoss.com/u5eh/

Decoy

tryafaq.com

bobcathntshop.com

oglead.com

026skz.xyz

brasbux.com

adna17.com

noveltyrofjiy.xyz

realestatecompanys.com

leman-web.com

df5686.com

jonathonhawkins.com

juliedominyfloralartistry.com

classyeventsco.com

aquaticatt.com

iotworld.xyz

hoc8.com

disposablediapers.store

peregovorim.online

advancebits.club

getaburialplan.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2136-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2136-117-0x000000000041D3E0-mapping.dmp	xloader
behavioral2/memory/2260-124-0x0000000000E50000-0x0000000000E79000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

MO_2580986754.exe

pid process

2092 MO_2580986754.exe

pid	process
2092	MO_2580986754.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

MO_2580986754.exeMO_2580986754.exehelp.exe

description	pid	process	target process
PID 2092 set thread context of 2136	2092	MO_2580986754.exe	MO_2580986754.exe
PID 2136 set thread context of 3068	2136	MO_2580986754.exe	Explorer.EXE
PID 2260 set thread context of 3068	2260	help.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

MO_2580986754.exehelp.exe

pid	process
2136	MO_2580986754.exe
2136	MO_2580986754.exe
2136	MO_2580986754.exe
2136	MO_2580986754.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe
2260	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3068 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

MO_2580986754.exehelp.exe

pid process

2136 MO_2580986754.exe
2136 MO_2580986754.exe
2136 MO_2580986754.exe
2260 help.exe
2260 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MO_2580986754.exehelp.exe

description pid process

Token: SeDebugPrivilege 2136 MO_2580986754.exe
Token: SeDebugPrivilege 2260 help.exe

pid	process
3068	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2136	MO_2580986754.exe
Token: SeDebugPrivilege	2260	help.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MO_2580986754.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 2092 wrote to memory of 2136	2092	MO_2580986754.exe	MO_2580986754.exe
PID 2092 wrote to memory of 2136	2092	MO_2580986754.exe	MO_2580986754.exe
PID 2092 wrote to memory of 2136	2092	MO_2580986754.exe	MO_2580986754.exe
PID 2092 wrote to memory of 2136	2092	MO_2580986754.exe	MO_2580986754.exe
PID 2092 wrote to memory of 2136	2092	MO_2580986754.exe	MO_2580986754.exe
PID 2092 wrote to memory of 2136	2092	MO_2580986754.exe	MO_2580986754.exe
PID 3068 wrote to memory of 2260	3068	Explorer.EXE	help.exe
PID 3068 wrote to memory of 2260	3068	Explorer.EXE	help.exe
PID 3068 wrote to memory of 2260	3068	Explorer.EXE	help.exe
PID 2260 wrote to memory of 1284	2260	help.exe	cmd.exe
PID 2260 wrote to memory of 1284	2260	help.exe	cmd.exe
PID 2260 wrote to memory of 1284	2260	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\MO_2580986754.exe
"C:\Users\Admin\AppData\Local\Temp\MO_2580986754.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Local\Temp\MO_2580986754.exe
"C:\Users\Admin\AppData\Local\Temp\MO_2580986754.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\MO_2580986754.exe"
3⤵
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nslD246.tmp\uwrccjlozps.dll
MD5
fbe1297387ed82513628ea53759fa97f

SHA1
95a8bb562f6b5c36ef1c938723c10fbfa5ae3a63

SHA256
7330257789e2ac84f5af036ccbe203e417bd6d17a731b11914c2cb4a046fcee9

SHA512
6273619cdaaab4ab1f78f0822b5949a250a68e4f82fa142178844edbf6c3b7e4cf90cf39a493d9c60ef0ae8bad02bfe76d71b26dd30ec794c129f8773122b73d

Download Submit
memory/1284-125-0x0000000000000000-mapping.dmp

Download
memory/2136-120-0x00000000006E0000-0x00000000006F1000-memory.dmp

Filesize
68KB

Download
memory/2136-117-0x000000000041D3E0-mapping.dmp

Download
memory/2136-119-0x0000000000B50000-0x0000000000E70000-memory.dmp

Filesize
3.1MB

Download
memory/2136-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2260-122-0x0000000000000000-mapping.dmp

Download
memory/2260-124-0x0000000000E50000-0x0000000000E79000-memory.dmp

Filesize
164KB

Download
memory/2260-123-0x0000000000FD0000-0x0000000000FD7000-memory.dmp

Filesize
28KB

Download
memory/2260-126-0x00000000036B0000-0x00000000039D0000-memory.dmp

Filesize
3.1MB

Download
memory/2260-127-0x0000000003280000-0x0000000003310000-memory.dmp

Filesize
576KB

Download
memory/3068-121-0x0000000000CD0000-0x0000000000DD8000-memory.dmp

Filesize
1.0MB

Download
memory/3068-128-0x0000000006790000-0x00000000068FE000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads