xloader | 8cbcba13895213b6f102c3c75b05f16e3df293063509c61e73ae367371f4885c

General

Target

CTM ARRANGMENT.exe
Size

249KB
MD5

a2046a5aeb81e1fc98cbbc9a2aff19b1
SHA1

6fb0f2848d25ffb9ea2c4441552c466539a0f0e0
SHA256

d0a2b78cdc16ebd07adf6aacd4b6e2d639dcdebd28f0e3eb4ca3e6b73cc1add8
SHA512

90bd09bed2fd4bb5eae4281fa9fae0df1164a36bb37b7ea2e8e70b034436461966d1b317f1e5ec610055acd7e28372b4bbafe96154e32c182aa93ba05fdf8640

Score

10^/10

xloader dtt3 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dtt3

Decoy

edilononlineshop.com

cursosd.com

viellacharteredland.com

increasey0urenergylevels.codes

yjy-hotel.com

claym.xyz

reelsguide.com

gives-cardano.com

ashrafannuar.com

mammalians.com

rocketleaguedads.com

yubierp.com

minimi36.com

chn-chn.com

jagojp888.com

parsian-shetab.com

273351.com

mdtouhid.com

babedads.com

vallinam2.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/716-57-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1332-63-0x00000000000D0000-0x00000000000F9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

568 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

CTM ARRANGMENT.exe

pid process

1264 CTM ARRANGMENT.exe

pid	process
568	cmd.exe

pid	process
1264	CTM ARRANGMENT.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

CTM ARRANGMENT.exeCTM ARRANGMENT.exewuapp.exe

description	pid	process	target process
PID 1264 set thread context of 716	1264	CTM ARRANGMENT.exe	CTM ARRANGMENT.exe
PID 716 set thread context of 1232	716	CTM ARRANGMENT.exe	Explorer.EXE
PID 1332 set thread context of 1232	1332	wuapp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

CTM ARRANGMENT.exewuapp.exe

pid	process
716	CTM ARRANGMENT.exe
716	CTM ARRANGMENT.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe
1332	wuapp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

CTM ARRANGMENT.exewuapp.exe

pid process

716 CTM ARRANGMENT.exe
716 CTM ARRANGMENT.exe
716 CTM ARRANGMENT.exe
1332 wuapp.exe
1332 wuapp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CTM ARRANGMENT.exewuapp.exe

description pid process

Token: SeDebugPrivilege 716 CTM ARRANGMENT.exe
Token: SeDebugPrivilege 1332 wuapp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE

pid	process
1232	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	716	CTM ARRANGMENT.exe
Token: SeDebugPrivilege	1332	wuapp.exe

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

CTM ARRANGMENT.exeExplorer.EXEwuapp.exe

description	pid	process	target process
PID 1264 wrote to memory of 716	1264	CTM ARRANGMENT.exe	CTM ARRANGMENT.exe
PID 1264 wrote to memory of 716	1264	CTM ARRANGMENT.exe	CTM ARRANGMENT.exe
PID 1264 wrote to memory of 716	1264	CTM ARRANGMENT.exe	CTM ARRANGMENT.exe
PID 1264 wrote to memory of 716	1264	CTM ARRANGMENT.exe	CTM ARRANGMENT.exe
PID 1264 wrote to memory of 716	1264	CTM ARRANGMENT.exe	CTM ARRANGMENT.exe
PID 1264 wrote to memory of 716	1264	CTM ARRANGMENT.exe	CTM ARRANGMENT.exe
PID 1264 wrote to memory of 716	1264	CTM ARRANGMENT.exe	CTM ARRANGMENT.exe
PID 1232 wrote to memory of 1332	1232	Explorer.EXE	wuapp.exe
PID 1232 wrote to memory of 1332	1232	Explorer.EXE	wuapp.exe
PID 1232 wrote to memory of 1332	1232	Explorer.EXE	wuapp.exe
PID 1232 wrote to memory of 1332	1232	Explorer.EXE	wuapp.exe
PID 1232 wrote to memory of 1332	1232	Explorer.EXE	wuapp.exe
PID 1232 wrote to memory of 1332	1232	Explorer.EXE	wuapp.exe
PID 1232 wrote to memory of 1332	1232	Explorer.EXE	wuapp.exe
PID 1332 wrote to memory of 568	1332	wuapp.exe	cmd.exe
PID 1332 wrote to memory of 568	1332	wuapp.exe	cmd.exe
PID 1332 wrote to memory of 568	1332	wuapp.exe	cmd.exe
PID 1332 wrote to memory of 568	1332	wuapp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\CTM ARRANGMENT.exe
"C:\Users\Admin\AppData\Local\Temp\CTM ARRANGMENT.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\CTM ARRANGMENT.exe
"C:\Users\Admin\AppData\Local\Temp\CTM ARRANGMENT.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:716

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\CTM ARRANGMENT.exe"
3⤵
- Deletes itself
PID:568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsnE2F1.tmp\kykgewxkrv.dll
MD5
638d655f837f80df4b70fe17a5ea86b4

SHA1
51c0d3eed56c7c87fc1371bfcdfb02ce707bc36b

SHA256
c106ca97813ad904efc3bebae18ad42c6787c725cbbdf966da5ffc2888b8e384

SHA512
a6881256779c3fe37f4170ebc9e08c9d5a5db2c06419bee67f35cf0107e91e8e83e3a106a8546b75eae54abf3295148ee9d95de82fa406f591c90982917aadd8

Download Submit
memory/716-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/716-59-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download
memory/716-61-0x0000000000340000-0x0000000000351000-memory.dmp

Filesize
68KB

Download
memory/1232-60-0x00000000068B0000-0x00000000069F3000-memory.dmp

Filesize
1.3MB

Download
memory/1232-66-0x0000000004160000-0x000000000422D000-memory.dmp

Filesize
820KB

Download
memory/1264-55-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download
memory/1332-62-0x00000000010B0000-0x00000000010BB000-memory.dmp

Filesize
44KB

Download
memory/1332-63-0x00000000000D0000-0x00000000000F9000-memory.dmp

Filesize
164KB

Download
memory/1332-64-0x00000000009C0000-0x0000000000CC3000-memory.dmp

Filesize
3.0MB

Download
memory/1332-65-0x00000000007E0000-0x0000000000870000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads