xloader | b88f9f5f1944a3f2d0f7586fcdb3b3262bfb979e3fbc3364b306067cc6d5f38e

General

Target

7IaVcfn93gmybib.exe
Size

501KB
MD5

dff6c60684ba9f0c0eaafcfa6fbd2dcb
SHA1

74b835eb13019d63404258776791cab16db4ccfd
SHA256

b88f9f5f1944a3f2d0f7586fcdb3b3262bfb979e3fbc3364b306067cc6d5f38e
SHA512

531d8bc89f8f4db05b49a845407f52b00371834ec37f13d49abb861f066e9b87fe4d80ac565e12abfc09b43c8d822a139e0ecdd321ee2f116e9e25f5407d6ae0

Score

10^/10

xloader cbgo loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cbgo

Decoy

tablescaperendezvous4two.net

abktransportllc.net

roseevision.com

skategrindingwheels.com

robux-generator-free.xyz

yacusi.com

mgav35.xyz

paravocecommerce.com

venkatramanrm.com

freakyhamster.com

jenaashoponline.com

dmozlisting.com

lorrainekclark.store

handyman-prime.com

thecrashingbrains.com

ukpms.com

livingstonemines.com

papeisonline.com

chrisbakerpr.com

omnipets.store

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4476-139-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2752-146-0x0000000000EA0000-0x0000000000EC9000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

7IaVcfn93gmybib.exe7IaVcfn93gmybib.exesystray.exe

description	pid	process	target process
PID 3852 set thread context of 4476	3852	7IaVcfn93gmybib.exe	7IaVcfn93gmybib.exe
PID 4476 set thread context of 3032	4476	7IaVcfn93gmybib.exe	Explorer.EXE
PID 2752 set thread context of 3032	2752	systray.exe	Explorer.EXE

Drops file in Windows directory 8 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

7IaVcfn93gmybib.exesystray.exe

pid	process
4476	7IaVcfn93gmybib.exe
4476	7IaVcfn93gmybib.exe
4476	7IaVcfn93gmybib.exe
4476	7IaVcfn93gmybib.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe
2752	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3032 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

7IaVcfn93gmybib.exesystray.exe

pid process

4476 7IaVcfn93gmybib.exe
4476 7IaVcfn93gmybib.exe
4476 7IaVcfn93gmybib.exe
2752 systray.exe
2752 systray.exe

pid	process
3032	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	2308	svchost.exe
Token: SeCreatePagefilePrivilege	2308	svchost.exe
Token: SeShutdownPrivilege	2308	svchost.exe
Token: SeCreatePagefilePrivilege	2308	svchost.exe
Token: SeShutdownPrivilege	2308	svchost.exe
Token: SeCreatePagefilePrivilege	2308	svchost.exe
Token: SeSecurityPrivilege	3388	TiWorker.exe
Token: SeRestorePrivilege	3388	TiWorker.exe
Token: SeBackupPrivilege	3388	TiWorker.exe
Token: SeBackupPrivilege	3388	TiWorker.exe
Token: SeRestorePrivilege	3388	TiWorker.exe
Token: SeSecurityPrivilege	3388	TiWorker.exe
Token: SeBackupPrivilege	3388	TiWorker.exe
Token: SeRestorePrivilege	3388	TiWorker.exe
Token: SeSecurityPrivilege	3388	TiWorker.exe
Token: SeBackupPrivilege	3388	TiWorker.exe
Token: SeRestorePrivilege	3388	TiWorker.exe
Token: SeSecurityPrivilege	3388	TiWorker.exe
Token: SeBackupPrivilege	3388	TiWorker.exe
Token: SeRestorePrivilege	3388	TiWorker.exe
Token: SeSecurityPrivilege	3388	TiWorker.exe
Token: SeBackupPrivilege	3388	TiWorker.exe
Token: SeRestorePrivilege	3388	TiWorker.exe
Token: SeSecurityPrivilege	3388	TiWorker.exe
Token: SeBackupPrivilege	3388	TiWorker.exe
Token: SeRestorePrivilege	3388	TiWorker.exe
Token: SeSecurityPrivilege	3388	TiWorker.exe
Token: SeBackupPrivilege	3388	TiWorker.exe
Token: SeRestorePrivilege	3388	TiWorker.exe
Token: SeSecurityPrivilege	3388	TiWorker.exe
Token: SeBackupPrivilege	3388	TiWorker.exe
Token: SeRestorePrivilege	3388	TiWorker.exe
Token: SeSecurityPrivilege	3388	TiWorker.exe
Token: SeBackupPrivilege	3388	TiWorker.exe
Token: SeRestorePrivilege	3388	TiWorker.exe
Token: SeSecurityPrivilege	3388	TiWorker.exe
Token: SeBackupPrivilege	3388	TiWorker.exe
Token: SeRestorePrivilege	3388	TiWorker.exe
Token: SeSecurityPrivilege	3388	TiWorker.exe
Token: SeBackupPrivilege	3388	TiWorker.exe
Token: SeRestorePrivilege	3388	TiWorker.exe
Token: SeSecurityPrivilege	3388	TiWorker.exe
Token: SeBackupPrivilege	3388	TiWorker.exe
Token: SeRestorePrivilege	3388	TiWorker.exe
Token: SeSecurityPrivilege	3388	TiWorker.exe
Token: SeBackupPrivilege	3388	TiWorker.exe
Token: SeRestorePrivilege	3388	TiWorker.exe
Token: SeSecurityPrivilege	3388	TiWorker.exe
Token: SeBackupPrivilege	3388	TiWorker.exe
Token: SeRestorePrivilege	3388	TiWorker.exe
Token: SeSecurityPrivilege	3388	TiWorker.exe
Token: SeBackupPrivilege	3388	TiWorker.exe
Token: SeRestorePrivilege	3388	TiWorker.exe
Token: SeSecurityPrivilege	3388	TiWorker.exe
Token: SeBackupPrivilege	3388	TiWorker.exe
Token: SeRestorePrivilege	3388	TiWorker.exe
Token: SeSecurityPrivilege	3388	TiWorker.exe
Token: SeBackupPrivilege	3388	TiWorker.exe
Token: SeRestorePrivilege	3388	TiWorker.exe
Token: SeSecurityPrivilege	3388	TiWorker.exe
Token: SeBackupPrivilege	3388	TiWorker.exe
Token: SeRestorePrivilege	3388	TiWorker.exe
Token: SeSecurityPrivilege	3388	TiWorker.exe
Token: SeBackupPrivilege	3388	TiWorker.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

3032 Explorer.EXE
3032 Explorer.EXE

pid	process
3032	Explorer.EXE
3032	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7IaVcfn93gmybib.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 3852 wrote to memory of 4476	3852	7IaVcfn93gmybib.exe	7IaVcfn93gmybib.exe
PID 3852 wrote to memory of 4476	3852	7IaVcfn93gmybib.exe	7IaVcfn93gmybib.exe
PID 3852 wrote to memory of 4476	3852	7IaVcfn93gmybib.exe	7IaVcfn93gmybib.exe
PID 3852 wrote to memory of 4476	3852	7IaVcfn93gmybib.exe	7IaVcfn93gmybib.exe
PID 3852 wrote to memory of 4476	3852	7IaVcfn93gmybib.exe	7IaVcfn93gmybib.exe
PID 3852 wrote to memory of 4476	3852	7IaVcfn93gmybib.exe	7IaVcfn93gmybib.exe
PID 3032 wrote to memory of 2752	3032	Explorer.EXE	systray.exe
PID 3032 wrote to memory of 2752	3032	Explorer.EXE	systray.exe
PID 3032 wrote to memory of 2752	3032	Explorer.EXE	systray.exe
PID 2752 wrote to memory of 1504	2752	systray.exe	cmd.exe
PID 2752 wrote to memory of 1504	2752	systray.exe	cmd.exe
PID 2752 wrote to memory of 1504	2752	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\7IaVcfn93gmybib.exe
"C:\Users\Admin\AppData\Local\Temp\7IaVcfn93gmybib.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3852

C:\Users\Admin\AppData\Local\Temp\7IaVcfn93gmybib.exe
"C:\Users\Admin\AppData\Local\Temp\7IaVcfn93gmybib.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4476

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\7IaVcfn93gmybib.exe"
3⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2308-133-0x0000027C7EB70000-0x0000027C7EB80000-memory.dmp

Filesize
64KB

Download
memory/2308-134-0x0000027C7F120000-0x0000027C7F130000-memory.dmp

Filesize
64KB

Download
memory/2308-135-0x0000027C7F7F0000-0x0000027C7F7F4000-memory.dmp

Filesize
16KB

Download
memory/2752-148-0x0000000002B80000-0x0000000002C10000-memory.dmp

Filesize
576KB

Download
memory/2752-147-0x0000000002DE0000-0x000000000312A000-memory.dmp

Filesize
3.3MB

Download
memory/2752-146-0x0000000000EA0000-0x0000000000EC9000-memory.dmp

Filesize
164KB

Download
memory/2752-145-0x00000000009F0000-0x00000000009F6000-memory.dmp

Filesize
24KB

Download
memory/3032-144-0x0000000008030000-0x000000000814E000-memory.dmp

Filesize
1.1MB

Download
memory/3032-149-0x0000000008440000-0x0000000008552000-memory.dmp

Filesize
1.1MB

Download
memory/3852-138-0x0000000006110000-0x00000000066B4000-memory.dmp

Filesize
5.6MB

Download
memory/3852-130-0x0000000000960000-0x00000000009E4000-memory.dmp

Filesize
528KB

Download
memory/3852-137-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/3852-136-0x0000000005700000-0x000000000579C000-memory.dmp

Filesize
624KB

Download
memory/3852-132-0x00000000053C0000-0x0000000005452000-memory.dmp

Filesize
584KB

Download
memory/3852-131-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/4476-141-0x00000000014F0000-0x000000000183A000-memory.dmp

Filesize
3.3MB

Download
memory/4476-142-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/4476-143-0x00000000014C0000-0x00000000014D1000-memory.dmp

Filesize
68KB

Download
memory/4476-139-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads