xloader | 8cbcba13895213b6f102c3c75b05f16e3df293063509c61e73ae367371f4885c

General

Target

CTM ARRANGMENT.exe
Size

249KB
MD5

a2046a5aeb81e1fc98cbbc9a2aff19b1
SHA1

6fb0f2848d25ffb9ea2c4441552c466539a0f0e0
SHA256

d0a2b78cdc16ebd07adf6aacd4b6e2d639dcdebd28f0e3eb4ca3e6b73cc1add8
SHA512

90bd09bed2fd4bb5eae4281fa9fae0df1164a36bb37b7ea2e8e70b034436461966d1b317f1e5ec610055acd7e28372b4bbafe96154e32c182aa93ba05fdf8640

Score

10^/10

xloader dtt3 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dtt3

Decoy

edilononlineshop.com

cursosd.com

viellacharteredland.com

increasey0urenergylevels.codes

yjy-hotel.com

claym.xyz

reelsguide.com

gives-cardano.com

ashrafannuar.com

mammalians.com

rocketleaguedads.com

yubierp.com

minimi36.com

chn-chn.com

jagojp888.com

parsian-shetab.com

273351.com

mdtouhid.com

babedads.com

vallinam2.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2284-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2284-119-0x00000000007E0000-0x0000000000973000-memory.dmp	xloader
behavioral2/memory/1892-122-0x0000000000A10000-0x0000000000A39000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

CTM ARRANGMENT.exe

pid process

2400 CTM ARRANGMENT.exe

pid	process
2400	CTM ARRANGMENT.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

CTM ARRANGMENT.exeCTM ARRANGMENT.exemstsc.exe

description	pid	process	target process
PID 2400 set thread context of 2284	2400	CTM ARRANGMENT.exe	CTM ARRANGMENT.exe
PID 2284 set thread context of 2720	2284	CTM ARRANGMENT.exe	Explorer.EXE
PID 1892 set thread context of 2720	1892	mstsc.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

CTM ARRANGMENT.exemstsc.exe

pid	process
2284	CTM ARRANGMENT.exe
2284	CTM ARRANGMENT.exe
2284	CTM ARRANGMENT.exe
2284	CTM ARRANGMENT.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe
1892	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2720 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

CTM ARRANGMENT.exemstsc.exe

pid process

2284 CTM ARRANGMENT.exe
2284 CTM ARRANGMENT.exe
2284 CTM ARRANGMENT.exe
1892 mstsc.exe
1892 mstsc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CTM ARRANGMENT.exemstsc.exe

description pid process

Token: SeDebugPrivilege 2284 CTM ARRANGMENT.exe
Token: SeDebugPrivilege 1892 mstsc.exe

pid	process
2720	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2284	CTM ARRANGMENT.exe
Token: SeDebugPrivilege	1892	mstsc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

CTM ARRANGMENT.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 2400 wrote to memory of 2284	2400	CTM ARRANGMENT.exe	CTM ARRANGMENT.exe
PID 2400 wrote to memory of 2284	2400	CTM ARRANGMENT.exe	CTM ARRANGMENT.exe
PID 2400 wrote to memory of 2284	2400	CTM ARRANGMENT.exe	CTM ARRANGMENT.exe
PID 2400 wrote to memory of 2284	2400	CTM ARRANGMENT.exe	CTM ARRANGMENT.exe
PID 2400 wrote to memory of 2284	2400	CTM ARRANGMENT.exe	CTM ARRANGMENT.exe
PID 2400 wrote to memory of 2284	2400	CTM ARRANGMENT.exe	CTM ARRANGMENT.exe
PID 2720 wrote to memory of 1892	2720	Explorer.EXE	mstsc.exe
PID 2720 wrote to memory of 1892	2720	Explorer.EXE	mstsc.exe
PID 2720 wrote to memory of 1892	2720	Explorer.EXE	mstsc.exe
PID 1892 wrote to memory of 3360	1892	mstsc.exe	cmd.exe
PID 1892 wrote to memory of 3360	1892	mstsc.exe	cmd.exe
PID 1892 wrote to memory of 3360	1892	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Local\Temp\CTM ARRANGMENT.exe
"C:\Users\Admin\AppData\Local\Temp\CTM ARRANGMENT.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2400

C:\Users\Admin\AppData\Local\Temp\CTM ARRANGMENT.exe
"C:\Users\Admin\AppData\Local\Temp\CTM ARRANGMENT.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1144

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\CTM ARRANGMENT.exe"
3⤵
PID:3360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsm6D5E.tmp\kykgewxkrv.dll
MD5
638d655f837f80df4b70fe17a5ea86b4

SHA1
51c0d3eed56c7c87fc1371bfcdfb02ce707bc36b

SHA256
c106ca97813ad904efc3bebae18ad42c6787c725cbbdf966da5ffc2888b8e384

SHA512
a6881256779c3fe37f4170ebc9e08c9d5a5db2c06419bee67f35cf0107e91e8e83e3a106a8546b75eae54abf3295148ee9d95de82fa406f591c90982917aadd8

Download Submit
memory/1892-121-0x0000000000D60000-0x000000000105C000-memory.dmp

Filesize
3.0MB

Download
memory/1892-122-0x0000000000A10000-0x0000000000A39000-memory.dmp

Filesize
164KB

Download
memory/1892-123-0x0000000004C50000-0x0000000004F70000-memory.dmp

Filesize
3.1MB

Download
memory/1892-124-0x0000000004910000-0x0000000004AAC000-memory.dmp

Filesize
1.6MB

Download
memory/2284-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2284-118-0x0000000000980000-0x0000000000CA0000-memory.dmp

Filesize
3.1MB

Download
memory/2284-119-0x00000000007E0000-0x0000000000973000-memory.dmp

Filesize
1.6MB

Download
memory/2720-120-0x0000000002FE0000-0x00000000030D2000-memory.dmp

Filesize
968KB

Download
memory/2720-125-0x0000000006830000-0x0000000006980000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads