xloader | 01222693e4698149f19d31ac66567a9815f89509bac13d690de8a5afda2bee08

General

Target

CTM REQUEST.exe
Size

265KB
MD5

64477dc3ce0b183b116147707d6f6928
SHA1

a2859ec6076ff22a0a45a20c056be9d380cb5c54
SHA256

01222693e4698149f19d31ac66567a9815f89509bac13d690de8a5afda2bee08
SHA512

9de95fb485a2dd4554a88cf78faeb5e01bd9073632322804403ab61cde027739750c28a3a036228cbb2f8a432017a0dfd09a3e4cf5dc5da2f7273437be402699

Score

10^/10

xloader 3a4h loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

3a4h

Decoy

mohamedmansour.net

asap.green

influxair.com

45mpt.xyz

cablerailingdesign.com

salesdisrupter.com

cxfarms.com

enerconfederal.com

pl1x.top

nyoz.top

fitnesz.website

minimi36.com

borealiselectricalrepair.com

miskalqurashi.com

importacionesdelfuturo.com

cigfinanacial.com

luxamata.xyz

digicoin724.com

gozabank.com

tribal-treasures.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/528-57-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1300-63-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

904 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

CTM REQUEST.exe

pid process

752 CTM REQUEST.exe

pid	process
904	cmd.exe

pid	process
752	CTM REQUEST.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

CTM REQUEST.exeCTM REQUEST.exechkdsk.exe

description	pid	process	target process
PID 752 set thread context of 528	752	CTM REQUEST.exe	CTM REQUEST.exe
PID 528 set thread context of 1424	528	CTM REQUEST.exe	Explorer.EXE
PID 1300 set thread context of 1424	1300	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

CTM REQUEST.exechkdsk.exe

pid	process
528	CTM REQUEST.exe
528	CTM REQUEST.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe
1300	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1424 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

CTM REQUEST.exechkdsk.exe

pid process

528 CTM REQUEST.exe
528 CTM REQUEST.exe
528 CTM REQUEST.exe
1300 chkdsk.exe
1300 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CTM REQUEST.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 528 CTM REQUEST.exe
Token: SeDebugPrivilege 1300 chkdsk.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1424 Explorer.EXE
1424 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1424 Explorer.EXE
1424 Explorer.EXE

pid	process
1424	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	528	CTM REQUEST.exe
Token: SeDebugPrivilege	1300	chkdsk.exe

pid	process
1424	Explorer.EXE
1424	Explorer.EXE

pid	process
1424	Explorer.EXE
1424	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

CTM REQUEST.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 752 wrote to memory of 528	752	CTM REQUEST.exe	CTM REQUEST.exe
PID 752 wrote to memory of 528	752	CTM REQUEST.exe	CTM REQUEST.exe
PID 752 wrote to memory of 528	752	CTM REQUEST.exe	CTM REQUEST.exe
PID 752 wrote to memory of 528	752	CTM REQUEST.exe	CTM REQUEST.exe
PID 752 wrote to memory of 528	752	CTM REQUEST.exe	CTM REQUEST.exe
PID 752 wrote to memory of 528	752	CTM REQUEST.exe	CTM REQUEST.exe
PID 752 wrote to memory of 528	752	CTM REQUEST.exe	CTM REQUEST.exe
PID 1424 wrote to memory of 1300	1424	Explorer.EXE	chkdsk.exe
PID 1424 wrote to memory of 1300	1424	Explorer.EXE	chkdsk.exe
PID 1424 wrote to memory of 1300	1424	Explorer.EXE	chkdsk.exe
PID 1424 wrote to memory of 1300	1424	Explorer.EXE	chkdsk.exe
PID 1300 wrote to memory of 904	1300	chkdsk.exe	cmd.exe
PID 1300 wrote to memory of 904	1300	chkdsk.exe	cmd.exe
PID 1300 wrote to memory of 904	1300	chkdsk.exe	cmd.exe
PID 1300 wrote to memory of 904	1300	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\CTM REQUEST.exe
"C:\Users\Admin\AppData\Local\Temp\CTM REQUEST.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:752

C:\Users\Admin\AppData\Local\Temp\CTM REQUEST.exe
"C:\Users\Admin\AppData\Local\Temp\CTM REQUEST.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\CTM REQUEST.exe"
3⤵
- Deletes itself
PID:904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst5CF1.tmp\hshes.dll
MD5
86a3e22c21ce1ada9fde3e7f8ec9749f

SHA1
2b3c20db5bc50bc6edd96a01c733cb18e9f0a081

SHA256
c4769e61329e6fa9800e79992f9dd38f63a8b2b19f82a2bc0f5cd216bf338db1

SHA512
f6c811fa96f122f8267132a4cefe4b4bc4aaa79d4b1cae8b2531695b3534a59615131af0b755c4ba1f98ad454ad03c95817b05c8b97eac00723f14a935a1b4ac

Download Submit
memory/528-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/528-59-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/528-60-0x00000000002E0000-0x0000000000429000-memory.dmp

Filesize
1.3MB

Download
memory/752-54-0x0000000075431000-0x0000000075433000-memory.dmp

Filesize
8KB

Download
memory/752-56-0x0000000000350000-0x0000000000352000-memory.dmp

Filesize
8KB

Download
memory/1300-62-0x00000000008F0000-0x00000000008F7000-memory.dmp

Filesize
28KB

Download
memory/1300-63-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1300-64-0x00000000020D0000-0x00000000023D3000-memory.dmp

Filesize
3.0MB

Download
memory/1300-65-0x0000000001D00000-0x0000000001F3C000-memory.dmp

Filesize
2.2MB

Download
memory/1424-61-0x0000000006A40000-0x0000000006BA1000-memory.dmp

Filesize
1.4MB

Download
memory/1424-66-0x0000000006BB0000-0x0000000006CC0000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads