xloader | ae912e8263a9242ff6590f2c818cdc64c3a6f2f059576dc8d760a3af93db63fc

General

Target

PAYMENT_xlsx.exe
Size

260KB
MD5

903f090170c015ce8a923608be5f5529
SHA1

ca5ab369fa9fa10367f8d2de5530986dd5add4a1
SHA256

ae912e8263a9242ff6590f2c818cdc64c3a6f2f059576dc8d760a3af93db63fc
SHA512

fb716c05053f9643ebdaff1e5a5a3d9b88cee77c1753a51618ab3c8f7897cd79384250edbe49cad6cf86579b83dd317ce2922674835ea3d484a0fb0f79f3bf6b

Score

10^/10

xloader dtt3 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dtt3

Decoy

edilononlineshop.com

cursosd.com

viellacharteredland.com

increasey0urenergylevels.codes

yjy-hotel.com

claym.xyz

reelsguide.com

gives-cardano.com

ashrafannuar.com

mammalians.com

rocketleaguedads.com

yubierp.com

minimi36.com

chn-chn.com

jagojp888.com

parsian-shetab.com

273351.com

mdtouhid.com

babedads.com

vallinam2.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/760-58-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/760-60-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1628-67-0x00000000000D0000-0x00000000000F9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1760 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

PAYMENT_xlsx.exe

pid process

1404 PAYMENT_xlsx.exe

pid	process
1760	cmd.exe

pid	process
1404	PAYMENT_xlsx.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

PAYMENT_xlsx.exePAYMENT_xlsx.execmstp.exe

description	pid	process	target process
PID 1404 set thread context of 760	1404	PAYMENT_xlsx.exe	PAYMENT_xlsx.exe
PID 760 set thread context of 1416	760	PAYMENT_xlsx.exe	Explorer.EXE
PID 1628 set thread context of 1416	1628	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

PAYMENT_xlsx.execmstp.exe

pid	process
760	PAYMENT_xlsx.exe
760	PAYMENT_xlsx.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe
1628	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1416 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PAYMENT_xlsx.execmstp.exe

pid process

760 PAYMENT_xlsx.exe
760 PAYMENT_xlsx.exe
760 PAYMENT_xlsx.exe
1628 cmstp.exe
1628 cmstp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PAYMENT_xlsx.execmstp.exe

description pid process

Token: SeDebugPrivilege 760 PAYMENT_xlsx.exe
Token: SeDebugPrivilege 1628 cmstp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1416 Explorer.EXE
1416 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1416 Explorer.EXE
1416 Explorer.EXE

pid	process
1416	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	760	PAYMENT_xlsx.exe
Token: SeDebugPrivilege	1628	cmstp.exe

pid	process
1416	Explorer.EXE
1416	Explorer.EXE

pid	process
1416	Explorer.EXE
1416	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

PAYMENT_xlsx.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 1404 wrote to memory of 760	1404	PAYMENT_xlsx.exe	PAYMENT_xlsx.exe
PID 1404 wrote to memory of 760	1404	PAYMENT_xlsx.exe	PAYMENT_xlsx.exe
PID 1404 wrote to memory of 760	1404	PAYMENT_xlsx.exe	PAYMENT_xlsx.exe
PID 1404 wrote to memory of 760	1404	PAYMENT_xlsx.exe	PAYMENT_xlsx.exe
PID 1404 wrote to memory of 760	1404	PAYMENT_xlsx.exe	PAYMENT_xlsx.exe
PID 1404 wrote to memory of 760	1404	PAYMENT_xlsx.exe	PAYMENT_xlsx.exe
PID 1404 wrote to memory of 760	1404	PAYMENT_xlsx.exe	PAYMENT_xlsx.exe
PID 1416 wrote to memory of 1628	1416	Explorer.EXE	cmstp.exe
PID 1416 wrote to memory of 1628	1416	Explorer.EXE	cmstp.exe
PID 1416 wrote to memory of 1628	1416	Explorer.EXE	cmstp.exe
PID 1416 wrote to memory of 1628	1416	Explorer.EXE	cmstp.exe
PID 1416 wrote to memory of 1628	1416	Explorer.EXE	cmstp.exe
PID 1416 wrote to memory of 1628	1416	Explorer.EXE	cmstp.exe
PID 1416 wrote to memory of 1628	1416	Explorer.EXE	cmstp.exe
PID 1628 wrote to memory of 1760	1628	cmstp.exe	cmd.exe
PID 1628 wrote to memory of 1760	1628	cmstp.exe	cmd.exe
PID 1628 wrote to memory of 1760	1628	cmstp.exe	cmd.exe
PID 1628 wrote to memory of 1760	1628	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Local\Temp\PAYMENT_xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT_xlsx.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\PAYMENT_xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT_xlsx.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PAYMENT_xlsx.exe"
3⤵
- Deletes itself
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsyD8A.tmp\grjrgdnfat.dll
MD5
4f17fcc87799615ed77345f05d8c5520

SHA1
1f4a7f5b874c28afdb8efa185282e8276147d305

SHA256
42af13597bd2e5a22c31c9776403f45ddf4cded7a488fd7ae2463cfa31ba5783

SHA512
40f2cbac516a82bccc0a49379a361d885dc97a4cc2589c81c1b39d5d94f9857c22eddc2194c089e392b209d9cc9e177ed4f39637e09639d4a9c08e7569ae485b

Download Submit
memory/760-61-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/760-58-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/760-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/760-62-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/760-63-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/1404-57-0x00000000005E0000-0x00000000005E2000-memory.dmp

Filesize
8KB

Download
memory/1404-55-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/1416-64-0x00000000070B0000-0x00000000071AB000-memory.dmp

Filesize
1004KB

Download
memory/1416-70-0x0000000008F80000-0x00000000090C7000-memory.dmp

Filesize
1.3MB

Download
memory/1628-67-0x00000000000D0000-0x00000000000F9000-memory.dmp

Filesize
164KB

Download
memory/1628-66-0x00000000009E0000-0x00000000009F8000-memory.dmp

Filesize
96KB

Download
memory/1628-68-0x0000000001F90000-0x0000000002293000-memory.dmp

Filesize
3.0MB

Download
memory/1628-69-0x0000000000810000-0x00000000008A0000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads