xloader | f55c9c2bdda3ecb1e3404ec6c003f146204ed5fd550b6de28a50ee1bdfb722c4

General

Target

CRYPTO INVOICE APPROVED.exe
Size

250KB
MD5

9eb725df8f30e3dae7b3197a1783eaea
SHA1

7484f0d4ff29b450339c24c40b771f88e2d907d7
SHA256

f55c9c2bdda3ecb1e3404ec6c003f146204ed5fd550b6de28a50ee1bdfb722c4
SHA512

9be53f3c9e0dd9218bd197c09f232a5f3af7470a14b7f58ab346d3ee6a8155ec739416d57053ae7f0429a3483ed6babb69ff70b2195bea794f853529663ca17d

Score

10^/10

xloader rmfg loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

rmfg

Decoy

prospectcompounding.com

grand-prix.voyage

solvingpklogc.xyz

eliamhome.com

gamevip88.club

arsels.info

dswlt.com

dchehe.com

lawyerjerusalem.com

pbnseo.xyz

apuryifuid.com

kiukiupoker88.net

leannonimpact.com

kare-furniture.com

mississaugaremax.online

zpyh198.com

dueplay.store

naimi.ltd

greenstepspodiatry.com

cewirtanen.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2940-117-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2940-120-0x00000000009D0000-0x0000000000EE0000-memory.dmp	xloader
behavioral2/memory/856-123-0x0000000005040000-0x0000000005069000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

CRYPTO INVOICE APPROVED.exe

pid process

2708 CRYPTO INVOICE APPROVED.exe

pid	process
2708	CRYPTO INVOICE APPROVED.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

CRYPTO INVOICE APPROVED.exeCRYPTO INVOICE APPROVED.exechkdsk.exe

description	pid	process	target process
PID 2708 set thread context of 2940	2708	CRYPTO INVOICE APPROVED.exe	CRYPTO INVOICE APPROVED.exe
PID 2940 set thread context of 3036	2940	CRYPTO INVOICE APPROVED.exe	Explorer.EXE
PID 856 set thread context of 3036	856	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

CRYPTO INVOICE APPROVED.exechkdsk.exe

pid	process
2940	CRYPTO INVOICE APPROVED.exe
2940	CRYPTO INVOICE APPROVED.exe
2940	CRYPTO INVOICE APPROVED.exe
2940	CRYPTO INVOICE APPROVED.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe
856	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3036 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

CRYPTO INVOICE APPROVED.exechkdsk.exe

pid process

2940 CRYPTO INVOICE APPROVED.exe
2940 CRYPTO INVOICE APPROVED.exe
2940 CRYPTO INVOICE APPROVED.exe
856 chkdsk.exe
856 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CRYPTO INVOICE APPROVED.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 2940 CRYPTO INVOICE APPROVED.exe
Token: SeDebugPrivilege 856 chkdsk.exe

pid	process
3036	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2940	CRYPTO INVOICE APPROVED.exe
Token: SeDebugPrivilege	856	chkdsk.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

CRYPTO INVOICE APPROVED.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 2708 wrote to memory of 2940	2708	CRYPTO INVOICE APPROVED.exe	CRYPTO INVOICE APPROVED.exe
PID 2708 wrote to memory of 2940	2708	CRYPTO INVOICE APPROVED.exe	CRYPTO INVOICE APPROVED.exe
PID 2708 wrote to memory of 2940	2708	CRYPTO INVOICE APPROVED.exe	CRYPTO INVOICE APPROVED.exe
PID 2708 wrote to memory of 2940	2708	CRYPTO INVOICE APPROVED.exe	CRYPTO INVOICE APPROVED.exe
PID 2708 wrote to memory of 2940	2708	CRYPTO INVOICE APPROVED.exe	CRYPTO INVOICE APPROVED.exe
PID 2708 wrote to memory of 2940	2708	CRYPTO INVOICE APPROVED.exe	CRYPTO INVOICE APPROVED.exe
PID 3036 wrote to memory of 856	3036	Explorer.EXE	chkdsk.exe
PID 3036 wrote to memory of 856	3036	Explorer.EXE	chkdsk.exe
PID 3036 wrote to memory of 856	3036	Explorer.EXE	chkdsk.exe
PID 856 wrote to memory of 3472	856	chkdsk.exe	cmd.exe
PID 856 wrote to memory of 3472	856	chkdsk.exe	cmd.exe
PID 856 wrote to memory of 3472	856	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\CRYPTO INVOICE APPROVED.exe
"C:\Users\Admin\AppData\Local\Temp\CRYPTO INVOICE APPROVED.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\CRYPTO INVOICE APPROVED.exe
"C:\Users\Admin\AppData\Local\Temp\CRYPTO INVOICE APPROVED.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\CRYPTO INVOICE APPROVED.exe"
3⤵
PID:3472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nso25A2.tmp\ucuuf.dll
MD5
6cf647e973301a4259172ae988ae9a87

SHA1
b003a0c03d628c3b0f59a3e6d7af86d375af06e1

SHA256
408e85feeef744f07460df42ce8d8f57668ec5afd94aaa3331d5c48a5f0f7138

SHA512
66fd713cf7426b4633b4e540d66ce34579c39278f6b47e884e5689e2c81d00f65ccb8b04e5f497413b03b6c2bf33e9a50d8aa42020e440bd171610fa884f064a

Download Submit
memory/856-123-0x0000000005040000-0x0000000005069000-memory.dmp

Filesize
164KB

Download
memory/856-122-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

Filesize
40KB

Download
memory/856-124-0x0000000005110000-0x000000000525A000-memory.dmp

Filesize
1.3MB

Download
memory/856-125-0x00000000055C0000-0x0000000005650000-memory.dmp

Filesize
576KB

Download
memory/2708-116-0x000000001AD70000-0x000000001AD72000-memory.dmp

Filesize
8KB

Download
memory/2940-117-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2940-119-0x00000000009D0000-0x0000000000CF0000-memory.dmp

Filesize
3.1MB

Download
memory/2940-120-0x00000000009D0000-0x0000000000EE0000-memory.dmp

Filesize
5.1MB

Download
memory/3036-121-0x00000000056F0000-0x0000000005870000-memory.dmp

Filesize
1.5MB

Download
memory/3036-126-0x00000000068D0000-0x0000000006A25000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads