xloader | 2e8dbbac127f620f64817f3674be70bb481ed70e89796f387caed0a11229540c

General

Target

VSL_MV SEA-BLUE SHIP OWNERS.exe
Size

288KB
MD5

0b1723d1301f6c728884ecd4d7d0ae03
SHA1

ae99846517dfd9c3c69ec13285d089ca68419cda
SHA256

2e8dbbac127f620f64817f3674be70bb481ed70e89796f387caed0a11229540c
SHA512

5880ef204c1505200426e1f33af75e064cb425866e68644b4f0ba7d235bc6e273017a22889a6869e146efdaff674c37cd10b416ee9d4d94e3681d1a1dc609d5c

Score

10^/10

xloader e8ia loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

e8ia

C2

http://www.helpfromjames.com/e8ia/

Decoy

le-hameau-enchanteur.com

quantumsystem-au.club

engravedeeply.com

yesrecompensas.lat

cavallitowerofficials.com

800seaspray.com

skifun-jetski.com

thouartafoot.com

nft2dollar.com

petrestore.online

cjcutthecord2.com

tippimccullough.com

gadget198.xyz

djmiriam.com

bitbasepay.com

cukierniawz.com

mcclureic.xyz

inthekitchenshakinandbakin.com

busy-clicks.com

melaniemorris.online

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/700-57-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/700-58-0x000000000041D4D0-mapping.dmp	xloader
behavioral1/memory/700-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1424-69-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

608 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

VSL_MV SEA-BLUE SHIP OWNERS.exe

pid process

1648 VSL_MV SEA-BLUE SHIP OWNERS.exe

pid	process
608	cmd.exe

pid	process
1648	VSL_MV SEA-BLUE SHIP OWNERS.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

VSL_MV SEA-BLUE SHIP OWNERS.exeVSL_MV SEA-BLUE SHIP OWNERS.exechkdsk.exe

description	pid	process	target process
PID 1648 set thread context of 700	1648	VSL_MV SEA-BLUE SHIP OWNERS.exe	VSL_MV SEA-BLUE SHIP OWNERS.exe
PID 700 set thread context of 1400	700	VSL_MV SEA-BLUE SHIP OWNERS.exe	Explorer.EXE
PID 700 set thread context of 1400	700	VSL_MV SEA-BLUE SHIP OWNERS.exe	Explorer.EXE
PID 1424 set thread context of 1400	1424	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

VSL_MV SEA-BLUE SHIP OWNERS.exechkdsk.exe

pid	process
700	VSL_MV SEA-BLUE SHIP OWNERS.exe
700	VSL_MV SEA-BLUE SHIP OWNERS.exe
700	VSL_MV SEA-BLUE SHIP OWNERS.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe
1424	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1400 Explorer.EXE

pid	process
1400	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

VSL_MV SEA-BLUE SHIP OWNERS.exechkdsk.exe

pid	process
700	VSL_MV SEA-BLUE SHIP OWNERS.exe
700	VSL_MV SEA-BLUE SHIP OWNERS.exe
700	VSL_MV SEA-BLUE SHIP OWNERS.exe
700	VSL_MV SEA-BLUE SHIP OWNERS.exe
1424	chkdsk.exe
1424	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

VSL_MV SEA-BLUE SHIP OWNERS.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 700 VSL_MV SEA-BLUE SHIP OWNERS.exe
Token: SeDebugPrivilege 1424 chkdsk.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1400 Explorer.EXE
1400 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1400 Explorer.EXE
1400 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	700	VSL_MV SEA-BLUE SHIP OWNERS.exe
Token: SeDebugPrivilege	1424	chkdsk.exe

pid	process
1400	Explorer.EXE
1400	Explorer.EXE

pid	process
1400	Explorer.EXE
1400	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

VSL_MV SEA-BLUE SHIP OWNERS.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 1648 wrote to memory of 700	1648	VSL_MV SEA-BLUE SHIP OWNERS.exe	VSL_MV SEA-BLUE SHIP OWNERS.exe
PID 1648 wrote to memory of 700	1648	VSL_MV SEA-BLUE SHIP OWNERS.exe	VSL_MV SEA-BLUE SHIP OWNERS.exe
PID 1648 wrote to memory of 700	1648	VSL_MV SEA-BLUE SHIP OWNERS.exe	VSL_MV SEA-BLUE SHIP OWNERS.exe
PID 1648 wrote to memory of 700	1648	VSL_MV SEA-BLUE SHIP OWNERS.exe	VSL_MV SEA-BLUE SHIP OWNERS.exe
PID 1648 wrote to memory of 700	1648	VSL_MV SEA-BLUE SHIP OWNERS.exe	VSL_MV SEA-BLUE SHIP OWNERS.exe
PID 1648 wrote to memory of 700	1648	VSL_MV SEA-BLUE SHIP OWNERS.exe	VSL_MV SEA-BLUE SHIP OWNERS.exe
PID 1648 wrote to memory of 700	1648	VSL_MV SEA-BLUE SHIP OWNERS.exe	VSL_MV SEA-BLUE SHIP OWNERS.exe
PID 1400 wrote to memory of 1424	1400	Explorer.EXE	chkdsk.exe
PID 1400 wrote to memory of 1424	1400	Explorer.EXE	chkdsk.exe
PID 1400 wrote to memory of 1424	1400	Explorer.EXE	chkdsk.exe
PID 1400 wrote to memory of 1424	1400	Explorer.EXE	chkdsk.exe
PID 1424 wrote to memory of 608	1424	chkdsk.exe	cmd.exe
PID 1424 wrote to memory of 608	1424	chkdsk.exe	cmd.exe
PID 1424 wrote to memory of 608	1424	chkdsk.exe	cmd.exe
PID 1424 wrote to memory of 608	1424	chkdsk.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\VSL_MV SEA-BLUE SHIP OWNERS.exe
"C:\Users\Admin\AppData\Local\Temp\VSL_MV SEA-BLUE SHIP OWNERS.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\VSL_MV SEA-BLUE SHIP OWNERS.exe
"C:\Users\Admin\AppData\Local\Temp\VSL_MV SEA-BLUE SHIP OWNERS.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\VSL_MV SEA-BLUE SHIP OWNERS.exe"
3⤵
- Deletes itself
PID:608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsyC8FB.tmp\oossyesm.dll
MD5
466537c1f36e8f00cabbdda451bea83c

SHA1
56cf8989ce0eb1199ec325a899f5fd43625ee429

SHA256
8af8280ecf9055a93b3aa88539f675e4963a53a7d1eaecccad283693ed391d2e

SHA512
c0b22b4eb3f32a3c0e7ab4c3856759774d00b41c3ac3764eadf1f4b8056bba8ff1efa55b4519922c558c1f6f143668c3b8ece188f4bcae6b9a1b8c240d71f05b

Download Submit
memory/608-67-0x0000000000000000-mapping.dmp

Download
memory/700-64-0x0000000000560000-0x0000000000571000-memory.dmp

Filesize
68KB

Download
memory/700-58-0x000000000041D4D0-mapping.dmp

Download
memory/700-60-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/700-61-0x00000000003C0000-0x00000000003D1000-memory.dmp

Filesize
68KB

Download
memory/700-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/700-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1400-65-0x00000000072F0000-0x0000000007492000-memory.dmp

Filesize
1.6MB

Download
memory/1400-62-0x0000000006CF0000-0x0000000006DF7000-memory.dmp

Filesize
1.0MB

Download
memory/1400-72-0x0000000004B50000-0x0000000004C3F000-memory.dmp

Filesize
956KB

Download
memory/1424-66-0x0000000000000000-mapping.dmp

Download
memory/1424-68-0x0000000000150000-0x0000000000157000-memory.dmp

Filesize
28KB

Download
memory/1424-69-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1424-70-0x00000000020A0000-0x00000000023A3000-memory.dmp

Filesize
3.0MB

Download
memory/1424-71-0x0000000001DD0000-0x0000000001E60000-memory.dmp

Filesize
576KB

Download
memory/1648-55-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads