xloader | 4d854fee4f2e2a7b2afb2c13b28207f5388b095d0f7f053b90e03cf5873904e9

General

Target

d6ff1bf3d769e567a0e41f7651a56c07.exe
Size

293KB
MD5

d6ff1bf3d769e567a0e41f7651a56c07
SHA1

291bcef2a4335eaac400271209d0c0e99486b64c
SHA256

4d854fee4f2e2a7b2afb2c13b28207f5388b095d0f7f053b90e03cf5873904e9
SHA512

aeaf170b6771653c13140aace7c4803ecdeee1dab95c2986f1893f63aaddab84ae7255095cb55b0c86c857684c90b5e5f8c764ec7e69dc3a7c6f9340cbc080e6

Score

10^/10

xloader o6tg loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

o6tg

Decoy

turkscaicosonline.com

novelfoodtech.com

zgrmfww.com

gestionalcliente24hrs.store

postrojka.com

tapissier-uzes.com

tobytram.one

preamblegames.com

clicklinkzs.com

franksenen.com

beautygateway.net

foils-online.com

aout.us

promarkoperations.com

alignatura.com

changemylifefast.info

minbex.icu

internethustlersociety.com

chinacqn.com

fibsh.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/524-62-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/524-69-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/336-75-0x0000000000090000-0x00000000000B9000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

28 336 rundll32.exe
Executes dropped EXE 2 IoCs

Processes:

ugdlxyklyf.exeugdlxyklyf.exe

pid process

964 ugdlxyklyf.exe
524 ugdlxyklyf.exe
Loads dropped DLL 2 IoCs

Processes:

d6ff1bf3d769e567a0e41f7651a56c07.exeugdlxyklyf.exe

pid process

1396 d6ff1bf3d769e567a0e41f7651a56c07.exe
964 ugdlxyklyf.exe

flow	pid	process
28	336	rundll32.exe

pid	process
964	ugdlxyklyf.exe
524	ugdlxyklyf.exe

pid	process
1396	d6ff1bf3d769e567a0e41f7651a56c07.exe
964	ugdlxyklyf.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

ugdlxyklyf.exeugdlxyklyf.exerundll32.exe

description	pid	process	target process
PID 964 set thread context of 524	964	ugdlxyklyf.exe	ugdlxyklyf.exe
PID 524 set thread context of 1404	524	ugdlxyklyf.exe	Explorer.EXE
PID 524 set thread context of 1404	524	ugdlxyklyf.exe	Explorer.EXE
PID 336 set thread context of 1404	336	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

ugdlxyklyf.exerundll32.exe

pid	process
524	ugdlxyklyf.exe
524	ugdlxyklyf.exe
524	ugdlxyklyf.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1404 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

ugdlxyklyf.exerundll32.exe

pid process

524 ugdlxyklyf.exe
524 ugdlxyklyf.exe
524 ugdlxyklyf.exe
524 ugdlxyklyf.exe
336 rundll32.exe
336 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ugdlxyklyf.exerundll32.exe

description pid process

Token: SeDebugPrivilege 524 ugdlxyklyf.exe
Token: SeDebugPrivilege 336 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1404 Explorer.EXE
1404 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1404 Explorer.EXE
1404 Explorer.EXE

pid	process
1404	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	524	ugdlxyklyf.exe
Token: SeDebugPrivilege	336	rundll32.exe

pid	process
1404	Explorer.EXE
1404	Explorer.EXE

pid	process
1404	Explorer.EXE
1404	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

d6ff1bf3d769e567a0e41f7651a56c07.exeugdlxyklyf.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 1396 wrote to memory of 964	1396	d6ff1bf3d769e567a0e41f7651a56c07.exe	ugdlxyklyf.exe
PID 1396 wrote to memory of 964	1396	d6ff1bf3d769e567a0e41f7651a56c07.exe	ugdlxyklyf.exe
PID 1396 wrote to memory of 964	1396	d6ff1bf3d769e567a0e41f7651a56c07.exe	ugdlxyklyf.exe
PID 1396 wrote to memory of 964	1396	d6ff1bf3d769e567a0e41f7651a56c07.exe	ugdlxyklyf.exe
PID 964 wrote to memory of 524	964	ugdlxyklyf.exe	ugdlxyklyf.exe
PID 964 wrote to memory of 524	964	ugdlxyklyf.exe	ugdlxyklyf.exe
PID 964 wrote to memory of 524	964	ugdlxyklyf.exe	ugdlxyklyf.exe
PID 964 wrote to memory of 524	964	ugdlxyklyf.exe	ugdlxyklyf.exe
PID 964 wrote to memory of 524	964	ugdlxyklyf.exe	ugdlxyklyf.exe
PID 964 wrote to memory of 524	964	ugdlxyklyf.exe	ugdlxyklyf.exe
PID 964 wrote to memory of 524	964	ugdlxyklyf.exe	ugdlxyklyf.exe
PID 1404 wrote to memory of 336	1404	Explorer.EXE	rundll32.exe
PID 1404 wrote to memory of 336	1404	Explorer.EXE	rundll32.exe
PID 1404 wrote to memory of 336	1404	Explorer.EXE	rundll32.exe
PID 1404 wrote to memory of 336	1404	Explorer.EXE	rundll32.exe
PID 1404 wrote to memory of 336	1404	Explorer.EXE	rundll32.exe
PID 1404 wrote to memory of 336	1404	Explorer.EXE	rundll32.exe
PID 1404 wrote to memory of 336	1404	Explorer.EXE	rundll32.exe
PID 336 wrote to memory of 1272	336	rundll32.exe	cmd.exe
PID 336 wrote to memory of 1272	336	rundll32.exe	cmd.exe
PID 336 wrote to memory of 1272	336	rundll32.exe	cmd.exe
PID 336 wrote to memory of 1272	336	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\d6ff1bf3d769e567a0e41f7651a56c07.exe
"C:\Users\Admin\AppData\Local\Temp\d6ff1bf3d769e567a0e41f7651a56c07.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe
C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe C:\Users\Admin\AppData\Local\Temp\zzyuvlggsv
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe
C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe C:\Users\Admin\AppData\Local\Temp\zzyuvlggsv
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe"
3⤵
PID:1272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe
MD5
e6edbf0a9ffeb3998434ca4019d293d1

SHA1
aefb354b4a41a9890d8cb0f597feb37d5776346d

SHA256
256d4603e58efac93fdde34cf68f44987534a2264201db068127b1f895b4406b

SHA512
10afaf42aaa25190e236fda36b85e706bd262a7393ed8e944ed1d7a58865c234a015da32bf6da336e602999812b097208a82f2c943d91a12953435d97caffaf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe
MD5
e6edbf0a9ffeb3998434ca4019d293d1

SHA1
aefb354b4a41a9890d8cb0f597feb37d5776346d

SHA256
256d4603e58efac93fdde34cf68f44987534a2264201db068127b1f895b4406b

SHA512
10afaf42aaa25190e236fda36b85e706bd262a7393ed8e944ed1d7a58865c234a015da32bf6da336e602999812b097208a82f2c943d91a12953435d97caffaf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe
MD5
e6edbf0a9ffeb3998434ca4019d293d1

SHA1
aefb354b4a41a9890d8cb0f597feb37d5776346d

SHA256
256d4603e58efac93fdde34cf68f44987534a2264201db068127b1f895b4406b

SHA512
10afaf42aaa25190e236fda36b85e706bd262a7393ed8e944ed1d7a58865c234a015da32bf6da336e602999812b097208a82f2c943d91a12953435d97caffaf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wxjvir5wwgz496elm3y9
MD5
bbe94bdaf91779f7986662a6ac131393

SHA1
a92a54050477f056fd7e8988f8f1227cdacf44d1

SHA256
bd41d15e50f0f3d50df77ebfa4fc3c889f5d32587caf45bb4153a94b926afdad

SHA512
f13669421abf38581d92c84f59606f8c3ad8653279404dd8e3e60000d8d20bdf4d332e7f68593ee2ee9f8c736b682e29847702e02744854ec5f3ad89b9d87a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzyuvlggsv
MD5
b1f4b4df1d2f1ab1af796352b7f7f378

SHA1
8573d9772eeda929a21ed1b62bb364b6ec2c0ceb

SHA256
e29d73dad0b0c8c58994505e18a37e97a0ea4edf692544c57f7cf95b034c802c

SHA512
c154d9a51c2700b13dd975720b12ba9fd97b7afac7b9cf72d1373174ee9185a2d0b7a571055a98372a185a51fab308cf47ef5c6f861b1f7679b13101990a7586

Download Submit
\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe
MD5
e6edbf0a9ffeb3998434ca4019d293d1

SHA1
aefb354b4a41a9890d8cb0f597feb37d5776346d

SHA256
256d4603e58efac93fdde34cf68f44987534a2264201db068127b1f895b4406b

SHA512
10afaf42aaa25190e236fda36b85e706bd262a7393ed8e944ed1d7a58865c234a015da32bf6da336e602999812b097208a82f2c943d91a12953435d97caffaf5

Download Submit
\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe
MD5
e6edbf0a9ffeb3998434ca4019d293d1

SHA1
aefb354b4a41a9890d8cb0f597feb37d5776346d

SHA256
256d4603e58efac93fdde34cf68f44987534a2264201db068127b1f895b4406b

SHA512
10afaf42aaa25190e236fda36b85e706bd262a7393ed8e944ed1d7a58865c234a015da32bf6da336e602999812b097208a82f2c943d91a12953435d97caffaf5

Download Submit
memory/336-74-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/336-77-0x00000000004A0000-0x0000000000530000-memory.dmp

Filesize
576KB

Download
memory/336-76-0x0000000002170000-0x0000000002473000-memory.dmp

Filesize
3.0MB

Download
memory/336-75-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/524-65-0x0000000000820000-0x0000000000B23000-memory.dmp

Filesize
3.0MB

Download
memory/524-69-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/524-70-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/524-71-0x0000000000350000-0x0000000000361000-memory.dmp

Filesize
68KB

Download
memory/524-67-0x0000000000200000-0x0000000000211000-memory.dmp

Filesize
68KB

Download
memory/524-66-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/524-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1396-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1404-68-0x0000000006CF0000-0x0000000006DE7000-memory.dmp

Filesize
988KB

Download
memory/1404-72-0x0000000006DF0000-0x0000000006ED1000-memory.dmp

Filesize
900KB

Download
memory/1404-78-0x0000000004990000-0x0000000004A26000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads