xloader | 3866d4f2f3fa6a3cdedd0b3e4704b438881b0a147e75eeddacaeea85e52c669a

General

Target

scan doc_o1022111234.exe
Size

285KB
MD5

69ee93123716e7d21e0e527be980c22b
SHA1

bb4b074dda0d143d36a6c4c572bd669be67fe0e5
SHA256

3866d4f2f3fa6a3cdedd0b3e4704b438881b0a147e75eeddacaeea85e52c669a
SHA512

36925cddedff3acb9a217ce35e8d676a46d76f5873471daf9e9cf512f2df5934fe263532b0ba789573fdc887eb211eee6cbe0988b8e22306d16ff211509c1edc

Score

10^/10

xloader cxep loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cxep

Decoy

estateglobal.info

loransstore.com

loginofy.com

fjallravenz.online

cefseguranca-app.com

safontadiestramiento.com

bubbleteapro.com

morethanmummies.com

serviciopersonalizadoweb.com

headerbidder.info

skworkforce.com

heightsorthodontics.com

chulavistapd.com

southjerseyautobody.net

chargedbygratitude.com

meltingpotspot.com

gdjiachen.com

luckdrawprogram.com

vintagepaseo.com

bequestslojyh.xyz

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/268-57-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/268-62-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1020-66-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1392 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

scan doc_o1022111234.exe

pid process

1520 scan doc_o1022111234.exe

pid	process
1392	cmd.exe

pid	process
1520	scan doc_o1022111234.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

scan doc_o1022111234.exescan doc_o1022111234.exehelp.exe

description	pid	process	target process
PID 1520 set thread context of 268	1520	scan doc_o1022111234.exe	scan doc_o1022111234.exe
PID 268 set thread context of 1372	268	scan doc_o1022111234.exe	Explorer.EXE
PID 268 set thread context of 1372	268	scan doc_o1022111234.exe	Explorer.EXE
PID 1020 set thread context of 1372	1020	help.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

scan doc_o1022111234.exehelp.exe

pid	process
268	scan doc_o1022111234.exe
268	scan doc_o1022111234.exe
268	scan doc_o1022111234.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe
1020	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

scan doc_o1022111234.exehelp.exe

pid process

268 scan doc_o1022111234.exe
268 scan doc_o1022111234.exe
268 scan doc_o1022111234.exe
268 scan doc_o1022111234.exe
1020 help.exe
1020 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

scan doc_o1022111234.exehelp.exe

description pid process

Token: SeDebugPrivilege 268 scan doc_o1022111234.exe
Token: SeDebugPrivilege 1020 help.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
1372 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
1372 Explorer.EXE

pid	process
1372	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	268	scan doc_o1022111234.exe
Token: SeDebugPrivilege	1020	help.exe

pid	process
1372	Explorer.EXE
1372	Explorer.EXE

pid	process
1372	Explorer.EXE
1372	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

scan doc_o1022111234.exescan doc_o1022111234.exehelp.exe

description	pid	process	target process
PID 1520 wrote to memory of 268	1520	scan doc_o1022111234.exe	scan doc_o1022111234.exe
PID 1520 wrote to memory of 268	1520	scan doc_o1022111234.exe	scan doc_o1022111234.exe
PID 1520 wrote to memory of 268	1520	scan doc_o1022111234.exe	scan doc_o1022111234.exe
PID 1520 wrote to memory of 268	1520	scan doc_o1022111234.exe	scan doc_o1022111234.exe
PID 1520 wrote to memory of 268	1520	scan doc_o1022111234.exe	scan doc_o1022111234.exe
PID 1520 wrote to memory of 268	1520	scan doc_o1022111234.exe	scan doc_o1022111234.exe
PID 1520 wrote to memory of 268	1520	scan doc_o1022111234.exe	scan doc_o1022111234.exe
PID 268 wrote to memory of 1020	268	scan doc_o1022111234.exe	help.exe
PID 268 wrote to memory of 1020	268	scan doc_o1022111234.exe	help.exe
PID 268 wrote to memory of 1020	268	scan doc_o1022111234.exe	help.exe
PID 268 wrote to memory of 1020	268	scan doc_o1022111234.exe	help.exe
PID 1020 wrote to memory of 1392	1020	help.exe	cmd.exe
PID 1020 wrote to memory of 1392	1020	help.exe	cmd.exe
PID 1020 wrote to memory of 1392	1020	help.exe	cmd.exe
PID 1020 wrote to memory of 1392	1020	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1372

C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe
"C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe
"C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe"
5⤵
- Deletes itself
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsd3017.tmp\uyhlelrjb.dll
MD5
3b2bf8df341ac6f0edfe50a1ae7ff555

SHA1
e9bdd7cbf9426b710c9ea60c36ee0b2183ebb602

SHA256
eace00923a15331adc6214d609b21328047a13ffdd4e14cc5e2e142241c156ad

SHA512
a127e8a748d8fa78b54e3cfbae47d147d93586f566b3d1a8a6cbc6e06df5f6ffdcc6abd61c4bf96d69b332f0646b90935fa2231d7be3cbfdd68975d387c9a6f1

Download Submit
memory/268-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/268-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/268-58-0x0000000000800000-0x0000000000B03000-memory.dmp

Filesize
3.0MB

Download
memory/268-60-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/268-63-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/1020-65-0x0000000000B10000-0x0000000000B16000-memory.dmp

Filesize
24KB

Download
memory/1020-66-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1020-67-0x00000000006D0000-0x0000000000AD3000-memory.dmp

Filesize
4.0MB

Download
memory/1020-68-0x00000000003D0000-0x0000000000460000-memory.dmp

Filesize
576KB

Download
memory/1372-61-0x0000000003A00000-0x0000000003ABF000-memory.dmp

Filesize
764KB

Download
memory/1372-64-0x0000000006A20000-0x0000000006B7A000-memory.dmp

Filesize
1.4MB

Download
memory/1372-69-0x0000000003E40000-0x0000000003F16000-memory.dmp

Filesize
856KB

Download
memory/1520-55-0x0000000076371000-0x0000000076373000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads