xloader | cc8d7caae86931fd55dbe76f6dce9cbbfedc3a9bd329c39a63e62c4b58ec39a4

General

Target

SC221420.exe
Size

456KB
MD5

376f50bcc33f115ff257d0c05ac4ba1b
SHA1

6a81172d13f238b8ca60850870070ce8f3b20488
SHA256

0fcfde1ee285a35c722bfdd0b33f08771a26503d4bfc20541726456cf9351af1
SHA512

9bcce9e9dd2f2326f11b8a94867808404af9741e8e0dec59cf073a6eec666acfbb3eaaa26b6bb155060679937ee991048bf4ba3398bc53354c50dd9b61dae81c

Score

10^/10

xloader ahc8 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1696-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1696-67-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/840-76-0x00000000000E0000-0x0000000000109000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

phlnztizg.exephlnztizg.exe

pid process

1312 phlnztizg.exe
1696 phlnztizg.exe
Loads dropped DLL 3 IoCs

Processes:

SC221420.exephlnztizg.exe

pid process

1628 SC221420.exe
1628 SC221420.exe
1312 phlnztizg.exe

pid	process
1312	phlnztizg.exe
1696	phlnztizg.exe

pid	process
1628	SC221420.exe
1628	SC221420.exe
1312	phlnztizg.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

phlnztizg.exephlnztizg.exechkdsk.exe

description	pid	process	target process
PID 1312 set thread context of 1696	1312	phlnztizg.exe	phlnztizg.exe
PID 1696 set thread context of 1384	1696	phlnztizg.exe	Explorer.EXE
PID 1696 set thread context of 1384	1696	phlnztizg.exe	Explorer.EXE
PID 840 set thread context of 1384	840	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

phlnztizg.exechkdsk.exe

pid	process
1696	phlnztizg.exe
1696	phlnztizg.exe
1696	phlnztizg.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe
840	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1384 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

phlnztizg.exechkdsk.exe

pid process

1696 phlnztizg.exe
1696 phlnztizg.exe
1696 phlnztizg.exe
1696 phlnztizg.exe
840 chkdsk.exe
840 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

phlnztizg.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 1696 phlnztizg.exe
Token: SeDebugPrivilege 840 chkdsk.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1384 Explorer.EXE
1384 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1384 Explorer.EXE
1384 Explorer.EXE

pid	process
1384	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1696	phlnztizg.exe
Token: SeDebugPrivilege	840	chkdsk.exe

pid	process
1384	Explorer.EXE
1384	Explorer.EXE

pid	process
1384	Explorer.EXE
1384	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

SC221420.exephlnztizg.exephlnztizg.exechkdsk.exe

description	pid	process	target process
PID 1628 wrote to memory of 1312	1628	SC221420.exe	phlnztizg.exe
PID 1628 wrote to memory of 1312	1628	SC221420.exe	phlnztizg.exe
PID 1628 wrote to memory of 1312	1628	SC221420.exe	phlnztizg.exe
PID 1628 wrote to memory of 1312	1628	SC221420.exe	phlnztizg.exe
PID 1312 wrote to memory of 1696	1312	phlnztizg.exe	phlnztizg.exe
PID 1312 wrote to memory of 1696	1312	phlnztizg.exe	phlnztizg.exe
PID 1312 wrote to memory of 1696	1312	phlnztizg.exe	phlnztizg.exe
PID 1312 wrote to memory of 1696	1312	phlnztizg.exe	phlnztizg.exe
PID 1312 wrote to memory of 1696	1312	phlnztizg.exe	phlnztizg.exe
PID 1312 wrote to memory of 1696	1312	phlnztizg.exe	phlnztizg.exe
PID 1312 wrote to memory of 1696	1312	phlnztizg.exe	phlnztizg.exe
PID 1696 wrote to memory of 840	1696	phlnztizg.exe	chkdsk.exe
PID 1696 wrote to memory of 840	1696	phlnztizg.exe	chkdsk.exe
PID 1696 wrote to memory of 840	1696	phlnztizg.exe	chkdsk.exe
PID 1696 wrote to memory of 840	1696	phlnztizg.exe	chkdsk.exe
PID 840 wrote to memory of 1092	840	chkdsk.exe	cmd.exe
PID 840 wrote to memory of 1092	840	chkdsk.exe	cmd.exe
PID 840 wrote to memory of 1092	840	chkdsk.exe	cmd.exe
PID 840 wrote to memory of 1092	840	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1384

C:\Users\Admin\AppData\Local\Temp\SC221420.exe
"C:\Users\Admin\AppData\Local\Temp\SC221420.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe
C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe C:\Users\Admin\AppData\Local\Temp\bxqlkx
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe
C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe C:\Users\Admin\AppData\Local\Temp\bxqlkx
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
5⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe"
6⤵
PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5i7piex8bs4j
MD5
a52498c2a045ff0a0065ef878e1ffdfe

SHA1
23abc7ebc00bf80780a11dca2d25c46123046088

SHA256
52a72dec9b196122f3008e8f314ca83546448cf48e47ce485398d52edc7c0861

SHA512
25af0ff1d48e4c5d15f22f8d4770ff846dd711ea00a40255db094ebc7340df4ccd760e0654ca021c34d2f85e55b6770a720a01a0affcaa31530bdb28efb01dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bxqlkx
MD5
30efdc42eda73cb1c555eaf1484814f9

SHA1
4263d4d980c3e262615f9577d262d96dab3160bc

SHA256
95fc7ef3394623fa4142d220c0b13d62d7e03f0ad23917167dc578eef688f848

SHA512
a67b30b0a9c7660c973b02bb054a43dd113cba575519ed89c054215407f4f8e9c4326f3734a6af4a831b04f3c2ce8907aec6e5aae2f857218f84fc2920fc2459

Download Submit
C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe
MD5
f9082eb743fa0bf57bf91d97f5251a44

SHA1
0c58960df67a771c5a780ea0bf1adcbb3296710c

SHA256
c9a316691f8285991d3baad24b188e103c7b9ded0744f91e9c636633f88dbb20

SHA512
30ea6e7257b307c865ecfc0b823270c1c2ed1a6805bf97f0edd54a3d9ac8686764fd4fe3f1ce9c31aeef66ecaf913953e3c89c32cf25efe7c2cfc12b39724d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe
MD5
f9082eb743fa0bf57bf91d97f5251a44

SHA1
0c58960df67a771c5a780ea0bf1adcbb3296710c

SHA256
c9a316691f8285991d3baad24b188e103c7b9ded0744f91e9c636633f88dbb20

SHA512
30ea6e7257b307c865ecfc0b823270c1c2ed1a6805bf97f0edd54a3d9ac8686764fd4fe3f1ce9c31aeef66ecaf913953e3c89c32cf25efe7c2cfc12b39724d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe
MD5
f9082eb743fa0bf57bf91d97f5251a44

SHA1
0c58960df67a771c5a780ea0bf1adcbb3296710c

SHA256
c9a316691f8285991d3baad24b188e103c7b9ded0744f91e9c636633f88dbb20

SHA512
30ea6e7257b307c865ecfc0b823270c1c2ed1a6805bf97f0edd54a3d9ac8686764fd4fe3f1ce9c31aeef66ecaf913953e3c89c32cf25efe7c2cfc12b39724d62

Download Submit
\Users\Admin\AppData\Local\Temp\phlnztizg.exe
MD5
f9082eb743fa0bf57bf91d97f5251a44

SHA1
0c58960df67a771c5a780ea0bf1adcbb3296710c

SHA256
c9a316691f8285991d3baad24b188e103c7b9ded0744f91e9c636633f88dbb20

SHA512
30ea6e7257b307c865ecfc0b823270c1c2ed1a6805bf97f0edd54a3d9ac8686764fd4fe3f1ce9c31aeef66ecaf913953e3c89c32cf25efe7c2cfc12b39724d62

Download Submit
\Users\Admin\AppData\Local\Temp\phlnztizg.exe
MD5
f9082eb743fa0bf57bf91d97f5251a44

SHA1
0c58960df67a771c5a780ea0bf1adcbb3296710c

SHA256
c9a316691f8285991d3baad24b188e103c7b9ded0744f91e9c636633f88dbb20

SHA512
30ea6e7257b307c865ecfc0b823270c1c2ed1a6805bf97f0edd54a3d9ac8686764fd4fe3f1ce9c31aeef66ecaf913953e3c89c32cf25efe7c2cfc12b39724d62

Download Submit
\Users\Admin\AppData\Local\Temp\phlnztizg.exe
MD5
f9082eb743fa0bf57bf91d97f5251a44

SHA1
0c58960df67a771c5a780ea0bf1adcbb3296710c

SHA256
c9a316691f8285991d3baad24b188e103c7b9ded0744f91e9c636633f88dbb20

SHA512
30ea6e7257b307c865ecfc0b823270c1c2ed1a6805bf97f0edd54a3d9ac8686764fd4fe3f1ce9c31aeef66ecaf913953e3c89c32cf25efe7c2cfc12b39724d62

Download Submit
memory/840-77-0x0000000002080000-0x0000000002383000-memory.dmp

Filesize
3.0MB

Download
memory/840-78-0x00000000005C0000-0x0000000000650000-memory.dmp

Filesize
576KB

Download
memory/840-76-0x00000000000E0000-0x0000000000109000-memory.dmp

Filesize
164KB

Download
memory/840-75-0x0000000000680000-0x0000000000687000-memory.dmp

Filesize
28KB

Download
memory/1384-79-0x00000000025C0000-0x0000000002682000-memory.dmp

Filesize
776KB

Download
memory/1384-74-0x0000000005090000-0x0000000005201000-memory.dmp

Filesize
1.4MB

Download
memory/1384-70-0x0000000006CE0000-0x0000000006E67000-memory.dmp

Filesize
1.5MB

Download
memory/1628-55-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1696-67-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1696-73-0x0000000000380000-0x0000000000391000-memory.dmp

Filesize
68KB

Download
memory/1696-72-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/1696-69-0x0000000000340000-0x0000000000351000-memory.dmp

Filesize
68KB

Download
memory/1696-68-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/1696-66-0x0000000000740000-0x0000000000A43000-memory.dmp

Filesize
3.0MB

Download
memory/1696-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads