xloader | 4d854fee4f2e2a7b2afb2c13b28207f5388b095d0f7f053b90e03cf5873904e9

General

Target

d6ff1bf3d769e567a0e41f7651a56c07.exe
Size

293KB
MD5

d6ff1bf3d769e567a0e41f7651a56c07
SHA1

291bcef2a4335eaac400271209d0c0e99486b64c
SHA256

4d854fee4f2e2a7b2afb2c13b28207f5388b095d0f7f053b90e03cf5873904e9
SHA512

aeaf170b6771653c13140aace7c4803ecdeee1dab95c2986f1893f63aaddab84ae7255095cb55b0c86c857684c90b5e5f8c764ec7e69dc3a7c6f9340cbc080e6

Score

10^/10

xloader o6tg loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

o6tg

Decoy

turkscaicosonline.com

novelfoodtech.com

zgrmfww.com

gestionalcliente24hrs.store

postrojka.com

tapissier-uzes.com

tobytram.one

preamblegames.com

clicklinkzs.com

franksenen.com

beautygateway.net

foils-online.com

aout.us

promarkoperations.com

alignatura.com

changemylifefast.info

minbex.icu

internethustlersociety.com

chinacqn.com

fibsh.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE APT-C-23 Activity (GET)
suricata: ET MALWARE APT-C-23 Activity (GET)
suricata
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2460-137-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1200-145-0x0000000000380000-0x00000000003A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

ugdlxyklyf.exeugdlxyklyf.exe

pid process

2480 ugdlxyklyf.exe
2460 ugdlxyklyf.exe

pid	process
2480	ugdlxyklyf.exe
2460	ugdlxyklyf.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ugdlxyklyf.exeugdlxyklyf.exesystray.exe

description	pid	process	target process
PID 2480 set thread context of 2460	2480	ugdlxyklyf.exe	ugdlxyklyf.exe
PID 2460 set thread context of 896	2460	ugdlxyklyf.exe	Explorer.EXE
PID 1200 set thread context of 896	1200	systray.exe	Explorer.EXE

Drops file in Windows directory 8 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

ugdlxyklyf.exesystray.exe

pid	process
2460	ugdlxyklyf.exe
2460	ugdlxyklyf.exe
2460	ugdlxyklyf.exe
2460	ugdlxyklyf.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe
1200	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

896 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

ugdlxyklyf.exesystray.exe

pid process

2460 ugdlxyklyf.exe
2460 ugdlxyklyf.exe
2460 ugdlxyklyf.exe
1200 systray.exe
1200 systray.exe

pid	process
896	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ugdlxyklyf.exesystray.exesvchost.exeTiWorker.exe

description	pid	process
Token: SeDebugPrivilege	2460	ugdlxyklyf.exe
Token: SeDebugPrivilege	1200	systray.exe
Token: SeShutdownPrivilege	3220	svchost.exe
Token: SeCreatePagefilePrivilege	3220	svchost.exe
Token: SeShutdownPrivilege	3220	svchost.exe
Token: SeCreatePagefilePrivilege	3220	svchost.exe
Token: SeShutdownPrivilege	3220	svchost.exe
Token: SeCreatePagefilePrivilege	3220	svchost.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe
Token: SeSecurityPrivilege	2320	TiWorker.exe
Token: SeBackupPrivilege	2320	TiWorker.exe
Token: SeRestorePrivilege	2320	TiWorker.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

896 Explorer.EXE
896 Explorer.EXE

pid	process
896	Explorer.EXE
896	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

d6ff1bf3d769e567a0e41f7651a56c07.exeugdlxyklyf.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 3084 wrote to memory of 2480	3084	d6ff1bf3d769e567a0e41f7651a56c07.exe	ugdlxyklyf.exe
PID 3084 wrote to memory of 2480	3084	d6ff1bf3d769e567a0e41f7651a56c07.exe	ugdlxyklyf.exe
PID 3084 wrote to memory of 2480	3084	d6ff1bf3d769e567a0e41f7651a56c07.exe	ugdlxyklyf.exe
PID 2480 wrote to memory of 2460	2480	ugdlxyklyf.exe	ugdlxyklyf.exe
PID 2480 wrote to memory of 2460	2480	ugdlxyklyf.exe	ugdlxyklyf.exe
PID 2480 wrote to memory of 2460	2480	ugdlxyklyf.exe	ugdlxyklyf.exe
PID 2480 wrote to memory of 2460	2480	ugdlxyklyf.exe	ugdlxyklyf.exe
PID 2480 wrote to memory of 2460	2480	ugdlxyklyf.exe	ugdlxyklyf.exe
PID 2480 wrote to memory of 2460	2480	ugdlxyklyf.exe	ugdlxyklyf.exe
PID 896 wrote to memory of 1200	896	Explorer.EXE	systray.exe
PID 896 wrote to memory of 1200	896	Explorer.EXE	systray.exe
PID 896 wrote to memory of 1200	896	Explorer.EXE	systray.exe
PID 1200 wrote to memory of 2004	1200	systray.exe	cmd.exe
PID 1200 wrote to memory of 2004	1200	systray.exe	cmd.exe
PID 1200 wrote to memory of 2004	1200	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:896

C:\Users\Admin\AppData\Local\Temp\d6ff1bf3d769e567a0e41f7651a56c07.exe
"C:\Users\Admin\AppData\Local\Temp\d6ff1bf3d769e567a0e41f7651a56c07.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3084

C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe
C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe C:\Users\Admin\AppData\Local\Temp\zzyuvlggsv
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe
C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe C:\Users\Admin\AppData\Local\Temp\zzyuvlggsv
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe"
3⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe
MD5
e6edbf0a9ffeb3998434ca4019d293d1

SHA1
aefb354b4a41a9890d8cb0f597feb37d5776346d

SHA256
256d4603e58efac93fdde34cf68f44987534a2264201db068127b1f895b4406b

SHA512
10afaf42aaa25190e236fda36b85e706bd262a7393ed8e944ed1d7a58865c234a015da32bf6da336e602999812b097208a82f2c943d91a12953435d97caffaf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe
MD5
e6edbf0a9ffeb3998434ca4019d293d1

SHA1
aefb354b4a41a9890d8cb0f597feb37d5776346d

SHA256
256d4603e58efac93fdde34cf68f44987534a2264201db068127b1f895b4406b

SHA512
10afaf42aaa25190e236fda36b85e706bd262a7393ed8e944ed1d7a58865c234a015da32bf6da336e602999812b097208a82f2c943d91a12953435d97caffaf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe
MD5
e6edbf0a9ffeb3998434ca4019d293d1

SHA1
aefb354b4a41a9890d8cb0f597feb37d5776346d

SHA256
256d4603e58efac93fdde34cf68f44987534a2264201db068127b1f895b4406b

SHA512
10afaf42aaa25190e236fda36b85e706bd262a7393ed8e944ed1d7a58865c234a015da32bf6da336e602999812b097208a82f2c943d91a12953435d97caffaf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wxjvir5wwgz496elm3y9
MD5
bbe94bdaf91779f7986662a6ac131393

SHA1
a92a54050477f056fd7e8988f8f1227cdacf44d1

SHA256
bd41d15e50f0f3d50df77ebfa4fc3c889f5d32587caf45bb4153a94b926afdad

SHA512
f13669421abf38581d92c84f59606f8c3ad8653279404dd8e3e60000d8d20bdf4d332e7f68593ee2ee9f8c736b682e29847702e02744854ec5f3ad89b9d87a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzyuvlggsv
MD5
b1f4b4df1d2f1ab1af796352b7f7f378

SHA1
8573d9772eeda929a21ed1b62bb364b6ec2c0ceb

SHA256
e29d73dad0b0c8c58994505e18a37e97a0ea4edf692544c57f7cf95b034c802c

SHA512
c154d9a51c2700b13dd975720b12ba9fd97b7afac7b9cf72d1373174ee9185a2d0b7a571055a98372a185a51fab308cf47ef5c6f861b1f7679b13101990a7586

Download Submit
memory/896-151-0x0000000008DA0000-0x0000000008EC4000-memory.dmp

Filesize
1.1MB

Download
memory/896-143-0x00000000075F0000-0x000000000776C000-memory.dmp

Filesize
1.5MB

Download
memory/1200-146-0x0000000002640000-0x000000000298A000-memory.dmp

Filesize
3.3MB

Download
memory/1200-150-0x00000000022A0000-0x0000000002330000-memory.dmp

Filesize
576KB

Download
memory/1200-145-0x0000000000380000-0x00000000003A9000-memory.dmp

Filesize
164KB

Download
memory/1200-144-0x0000000000E80000-0x0000000000E86000-memory.dmp

Filesize
24KB

Download
memory/2460-137-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2460-142-0x00000000019E0000-0x00000000019F1000-memory.dmp

Filesize
68KB

Download
memory/2460-140-0x0000000001510000-0x000000000185A000-memory.dmp

Filesize
3.3MB

Download
memory/2460-141-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/3220-147-0x000002ABF0B90000-0x000002ABF0BA0000-memory.dmp

Filesize
64KB

Download
memory/3220-148-0x000002ABF1360000-0x000002ABF1370000-memory.dmp

Filesize
64KB

Download
memory/3220-149-0x000002ABF3F70000-0x000002ABF3F74000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads