xloader | 6e6e18a85c523bfffd1b5293b978832f7387fda9b9eee87d3d8e98666fe020c9

General

Target

win32.exe
Size

656KB
MD5

ada88465652140cfa9ae8955370fc40f
SHA1

e13c0564f3662230c11537366d1568c5c3825513
SHA256

6e6e18a85c523bfffd1b5293b978832f7387fda9b9eee87d3d8e98666fe020c9
SHA512

2e288e1d465c0babe87f52417dea9822dafe0aa21448468c2a38c1d72e9b933ed38b06a1cb1a0ea34ac9100b8faa9603117f01697c22c0ab25156787cb8ca51f

Score

10^/10

xloader w6ot loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

w6ot

Decoy

zerodawnprime.com

chunhejingming.com

estrellafiamma.biz

meetbotique.com

westernghatsstudyabroad.com

madysenlenihancoaching.com

c2batlrjm05uzzjnamm8627.com

sasamamai.com

softcherry.club

iputtbetter.store

sointuboete.quest

mahadevwardrobe.online

goedkope-ladegeleiders.online

g3taquotea.info

987vna.club

justdodge.net

b95202.com

dwabiegunyfotografii.com

entrustqlxorx.online

busineschatcom.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/484-61-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/576-69-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

xcsjhnbx.exexcsjhnbx.exe

pid process

320 xcsjhnbx.exe
484 xcsjhnbx.exe
Loads dropped DLL 2 IoCs

Processes:

win32.exexcsjhnbx.exe

pid process

800 win32.exe
320 xcsjhnbx.exe

pid	process
320	xcsjhnbx.exe
484	xcsjhnbx.exe

pid	process
800	win32.exe
320	xcsjhnbx.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

xcsjhnbx.exexcsjhnbx.exewininit.exe

description	pid	process	target process
PID 320 set thread context of 484	320	xcsjhnbx.exe	xcsjhnbx.exe
PID 484 set thread context of 1436	484	xcsjhnbx.exe	Explorer.EXE
PID 576 set thread context of 1436	576	wininit.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

xcsjhnbx.exewininit.exe

pid	process
484	xcsjhnbx.exe
484	xcsjhnbx.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe
576	wininit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1436 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

xcsjhnbx.exewininit.exe

pid process

484 xcsjhnbx.exe
484 xcsjhnbx.exe
484 xcsjhnbx.exe
576 wininit.exe
576 wininit.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

xcsjhnbx.exewininit.exe

description pid process

Token: SeDebugPrivilege 484 xcsjhnbx.exe
Token: SeDebugPrivilege 576 wininit.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1436 Explorer.EXE
1436 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1436 Explorer.EXE
1436 Explorer.EXE

pid	process
1436	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	484	xcsjhnbx.exe
Token: SeDebugPrivilege	576	wininit.exe

pid	process
1436	Explorer.EXE
1436	Explorer.EXE

pid	process
1436	Explorer.EXE
1436	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

win32.exexcsjhnbx.exeExplorer.EXEwininit.exe

description	pid	process	target process
PID 800 wrote to memory of 320	800	win32.exe	xcsjhnbx.exe
PID 800 wrote to memory of 320	800	win32.exe	xcsjhnbx.exe
PID 800 wrote to memory of 320	800	win32.exe	xcsjhnbx.exe
PID 800 wrote to memory of 320	800	win32.exe	xcsjhnbx.exe
PID 320 wrote to memory of 484	320	xcsjhnbx.exe	xcsjhnbx.exe
PID 320 wrote to memory of 484	320	xcsjhnbx.exe	xcsjhnbx.exe
PID 320 wrote to memory of 484	320	xcsjhnbx.exe	xcsjhnbx.exe
PID 320 wrote to memory of 484	320	xcsjhnbx.exe	xcsjhnbx.exe
PID 320 wrote to memory of 484	320	xcsjhnbx.exe	xcsjhnbx.exe
PID 320 wrote to memory of 484	320	xcsjhnbx.exe	xcsjhnbx.exe
PID 320 wrote to memory of 484	320	xcsjhnbx.exe	xcsjhnbx.exe
PID 1436 wrote to memory of 576	1436	Explorer.EXE	wininit.exe
PID 1436 wrote to memory of 576	1436	Explorer.EXE	wininit.exe
PID 1436 wrote to memory of 576	1436	Explorer.EXE	wininit.exe
PID 1436 wrote to memory of 576	1436	Explorer.EXE	wininit.exe
PID 576 wrote to memory of 836	576	wininit.exe	cmd.exe
PID 576 wrote to memory of 836	576	wininit.exe	cmd.exe
PID 576 wrote to memory of 836	576	wininit.exe	cmd.exe
PID 576 wrote to memory of 836	576	wininit.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\win32.exe
"C:\Users\Admin\AppData\Local\Temp\win32.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:800

C:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exe
C:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exe C:\Users\Admin\AppData\Local\Temp\klsqys
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:320

C:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exe
C:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exe C:\Users\Admin\AppData\Local\Temp\klsqys
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:484

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exe"
3⤵
PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\klsqys

MD5
74894acf2f92497a4112350086628a69

SHA1
d89bbaa9815a9dab1bb78b9caa0e59102af14007

SHA256
ed3cd1384a99d8bf6689d7da1da1caeec9aca71f969da688bbe8c4207128a813

SHA512
cdd4452e2b23be76d3fbebd1433d59142a5559bdc4aa34dd9c173251f98da02ccbfa9e9319a2ada9b58dcbce5c470edbf75a25f0cf5b13eb071b758befb6573c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md3vfbdcdvnfqyw4m

MD5
6f9be1ba8b37123e0fac76fa9efab260

SHA1
8eedb1159c8b44333a9d46502405458ed798bce6

SHA256
59c3e8cf49539188344653ce44a43b1138b27fd31ad375bb90f87a41a73abd67

SHA512
c999becfaf06c51e44f63b752d8e7bc0496d8e24233a858af016234dd0357e8d4c90d78ffb9b49f6e4849480bb4215f19f0aa835e527fd5db35ce97fd6876e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exe

MD5
faac8659b70789bbc4d0bf78dc566fad

SHA1
ffa98396d0a61efa1ed7213b74c2c8e05a97c40f

SHA256
2a53b351cb91b40c76c2cf95f7cd43650b355fbf77bbe9e249c136367181140b

SHA512
46e62ba555f1eae412f6a304d013897699412d8555137812de24928a236c49f6e4c33096499d1824c68097d9cc88853c786c2afd6ad6dbe34ab3acf0d81b3049

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exe

MD5
faac8659b70789bbc4d0bf78dc566fad

SHA1
ffa98396d0a61efa1ed7213b74c2c8e05a97c40f

SHA256
2a53b351cb91b40c76c2cf95f7cd43650b355fbf77bbe9e249c136367181140b

SHA512
46e62ba555f1eae412f6a304d013897699412d8555137812de24928a236c49f6e4c33096499d1824c68097d9cc88853c786c2afd6ad6dbe34ab3acf0d81b3049

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exe

MD5
faac8659b70789bbc4d0bf78dc566fad

SHA1
ffa98396d0a61efa1ed7213b74c2c8e05a97c40f

SHA256
2a53b351cb91b40c76c2cf95f7cd43650b355fbf77bbe9e249c136367181140b

SHA512
46e62ba555f1eae412f6a304d013897699412d8555137812de24928a236c49f6e4c33096499d1824c68097d9cc88853c786c2afd6ad6dbe34ab3acf0d81b3049

Download Submit
\Users\Admin\AppData\Local\Temp\xcsjhnbx.exe

MD5
faac8659b70789bbc4d0bf78dc566fad

SHA1
ffa98396d0a61efa1ed7213b74c2c8e05a97c40f

SHA256
2a53b351cb91b40c76c2cf95f7cd43650b355fbf77bbe9e249c136367181140b

SHA512
46e62ba555f1eae412f6a304d013897699412d8555137812de24928a236c49f6e4c33096499d1824c68097d9cc88853c786c2afd6ad6dbe34ab3acf0d81b3049

Download Submit
\Users\Admin\AppData\Local\Temp\xcsjhnbx.exe

MD5
faac8659b70789bbc4d0bf78dc566fad

SHA1
ffa98396d0a61efa1ed7213b74c2c8e05a97c40f

SHA256
2a53b351cb91b40c76c2cf95f7cd43650b355fbf77bbe9e249c136367181140b

SHA512
46e62ba555f1eae412f6a304d013897699412d8555137812de24928a236c49f6e4c33096499d1824c68097d9cc88853c786c2afd6ad6dbe34ab3acf0d81b3049

Download Submit
memory/484-66-0x00000000001B0000-0x00000000001C1000-memory.dmp

Filesize
68KB

Download
memory/484-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/484-63-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/484-65-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/576-69-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/576-68-0x0000000000B80000-0x0000000000B9A000-memory.dmp

Filesize
104KB

Download
memory/576-70-0x0000000002130000-0x0000000002433000-memory.dmp

Filesize
3.0MB

Download
memory/576-71-0x0000000000380000-0x0000000000410000-memory.dmp

Filesize
576KB

Download
memory/800-53-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1436-67-0x0000000006D80000-0x0000000006EF5000-memory.dmp

Filesize
1.5MB

Download
memory/1436-72-0x0000000009070000-0x0000000009184000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads