xloader | 826837df6dde8385f31f1a25df7ebdf946b9519af3142bfb87d4b9196f3822f1

General

Target

918d148a95ceffbf6cf619106cbbc49f.exe
Size

456KB
MD5

918d148a95ceffbf6cf619106cbbc49f
SHA1

32075f31064cbd71e820f9c5a9b1c41e357b17ea
SHA256

826837df6dde8385f31f1a25df7ebdf946b9519af3142bfb87d4b9196f3822f1
SHA512

25d415e45b326d5db660326124fdc189fb1d17198159197ad2ab953bed979116fd743f49d122a7ef70c9735fdef3dc89893ddebe10b950dc88152d75578f2fb7

Score

10^/10

xloader ahc8 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/396-134-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/396-144-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2812-149-0x00000000007C0000-0x00000000007E9000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

cmstp.exe

flow pid process

83 2812 cmstp.exe
Executes dropped EXE 2 IoCs

Processes:

hhdaghixs.exehhdaghixs.exe

pid process

1544 hhdaghixs.exe
396 hhdaghixs.exe

flow	pid	process
83	2812	cmstp.exe

pid	process
1544	hhdaghixs.exe
396	hhdaghixs.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

hhdaghixs.exehhdaghixs.execmstp.exe

description	pid	process	target process
PID 1544 set thread context of 396	1544	hhdaghixs.exe	hhdaghixs.exe
PID 396 set thread context of 3020	396	hhdaghixs.exe	Explorer.EXE
PID 396 set thread context of 3020	396	hhdaghixs.exe	Explorer.EXE
PID 2812 set thread context of 3020	2812	cmstp.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

cmstp.exe

description ioc process

File opened for modification C:\Program Files (x86)\Wchnlgtbp\helpz0pp.exe cmstp.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Wchnlgtbp\helpz0pp.exe	cmstp.exe

Drops file in Windows directory 8 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

hhdaghixs.execmstp.exe

pid	process
396	hhdaghixs.exe
396	hhdaghixs.exe
396	hhdaghixs.exe
396	hhdaghixs.exe
396	hhdaghixs.exe
396	hhdaghixs.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe
2812	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3020 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

hhdaghixs.execmstp.exe

pid process

396 hhdaghixs.exe
396 hhdaghixs.exe
396 hhdaghixs.exe
396 hhdaghixs.exe
2812 cmstp.exe
2812 cmstp.exe

pid	process
3020	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

hhdaghixs.exesvchost.exeExplorer.EXEcmstp.exeTiWorker.exe

description	pid	process
Token: SeDebugPrivilege	396	hhdaghixs.exe
Token: SeShutdownPrivilege	3176	svchost.exe
Token: SeCreatePagefilePrivilege	3176	svchost.exe
Token: SeShutdownPrivilege	3176	svchost.exe
Token: SeCreatePagefilePrivilege	3176	svchost.exe
Token: SeShutdownPrivilege	3176	svchost.exe
Token: SeCreatePagefilePrivilege	3176	svchost.exe
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeDebugPrivilege	2812	cmstp.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe
Token: SeRestorePrivilege	3112	TiWorker.exe
Token: SeSecurityPrivilege	3112	TiWorker.exe
Token: SeBackupPrivilege	3112	TiWorker.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3020 Explorer.EXE

pid	process
3020	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

918d148a95ceffbf6cf619106cbbc49f.exehhdaghixs.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 1608 wrote to memory of 1544	1608	918d148a95ceffbf6cf619106cbbc49f.exe	hhdaghixs.exe
PID 1608 wrote to memory of 1544	1608	918d148a95ceffbf6cf619106cbbc49f.exe	hhdaghixs.exe
PID 1608 wrote to memory of 1544	1608	918d148a95ceffbf6cf619106cbbc49f.exe	hhdaghixs.exe
PID 1544 wrote to memory of 396	1544	hhdaghixs.exe	hhdaghixs.exe
PID 1544 wrote to memory of 396	1544	hhdaghixs.exe	hhdaghixs.exe
PID 1544 wrote to memory of 396	1544	hhdaghixs.exe	hhdaghixs.exe
PID 1544 wrote to memory of 396	1544	hhdaghixs.exe	hhdaghixs.exe
PID 1544 wrote to memory of 396	1544	hhdaghixs.exe	hhdaghixs.exe
PID 1544 wrote to memory of 396	1544	hhdaghixs.exe	hhdaghixs.exe
PID 3020 wrote to memory of 2812	3020	Explorer.EXE	cmstp.exe
PID 3020 wrote to memory of 2812	3020	Explorer.EXE	cmstp.exe
PID 3020 wrote to memory of 2812	3020	Explorer.EXE	cmstp.exe
PID 2812 wrote to memory of 3048	2812	cmstp.exe	cmd.exe
PID 2812 wrote to memory of 3048	2812	cmstp.exe	cmd.exe
PID 2812 wrote to memory of 3048	2812	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Local\Temp\918d148a95ceffbf6cf619106cbbc49f.exe
"C:\Users\Admin\AppData\Local\Temp\918d148a95ceffbf6cf619106cbbc49f.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\hhdaghixs.exe
C:\Users\Admin\AppData\Local\Temp\hhdaghixs.exe C:\Users\Admin\AppData\Local\Temp\tuxdcz
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\hhdaghixs.exe
C:\Users\Admin\AppData\Local\Temp\hhdaghixs.exe C:\Users\Admin\AppData\Local\Temp\tuxdcz
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\hhdaghixs.exe"
3⤵
PID:3048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2j798lhbkkt8o
MD5
5897b68ea51360f25b31986115a60c72

SHA1
386a004a13238e3b53c3da1c81bd384cde7d2d90

SHA256
dea8c97f4b58274c9570973c711827c5fef1532fed038ca257b9fab11539b6b9

SHA512
7227d24cc4b94734174ba4a02e7a0121f741b59bcbdca7472ac65eb5ee2b22c9ed197012c9788494a4176b78bfcfaaebd5e2c595395f0f8a539a76d6863461b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhdaghixs.exe
MD5
955edc4ecea413644f41bf421dd4a028

SHA1
2e1d9ed0913b4322dd75fd105797e0db71257348

SHA256
4223aca1a531e0afa67b04d04cfc5b9669c2be413963ae525204ec0dc607bd5b

SHA512
953753141654b22c877ab7a383a458d72803ee3437e19ba5f54249b7247e80ce34a318d48d1992e298ee18d8a8204146da26c1ffb91ba200f3e1813dfd003c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhdaghixs.exe
MD5
955edc4ecea413644f41bf421dd4a028

SHA1
2e1d9ed0913b4322dd75fd105797e0db71257348

SHA256
4223aca1a531e0afa67b04d04cfc5b9669c2be413963ae525204ec0dc607bd5b

SHA512
953753141654b22c877ab7a383a458d72803ee3437e19ba5f54249b7247e80ce34a318d48d1992e298ee18d8a8204146da26c1ffb91ba200f3e1813dfd003c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhdaghixs.exe
MD5
955edc4ecea413644f41bf421dd4a028

SHA1
2e1d9ed0913b4322dd75fd105797e0db71257348

SHA256
4223aca1a531e0afa67b04d04cfc5b9669c2be413963ae525204ec0dc607bd5b

SHA512
953753141654b22c877ab7a383a458d72803ee3437e19ba5f54249b7247e80ce34a318d48d1992e298ee18d8a8204146da26c1ffb91ba200f3e1813dfd003c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuxdcz
MD5
492c9af9536eb9f00d2d0624d018a235

SHA1
07247a0540a7853c1d93a36534f689ac74f3f366

SHA256
36a9d2e4f8e91485db0499be77931a5cfaf622d55c2ef2b0b22c992d777298a9

SHA512
1a21f99ff5cbe97a4e819f18d22e97651fc4e5cf0f88ee8a1cb19d51695bb312bf063628afdbf0e24b59aa00143226c6e3fb1a795110dbcfdae6b61c73c39492

Download Submit
memory/396-146-0x0000000001400000-0x0000000001411000-memory.dmp

Filesize
68KB

Download
memory/396-144-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/396-137-0x00000000018F0000-0x0000000001C3A000-memory.dmp

Filesize
3.3MB

Download
memory/396-139-0x00000000013A0000-0x00000000013B1000-memory.dmp

Filesize
68KB

Download
memory/396-138-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/396-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/396-145-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/2812-149-0x00000000007C0000-0x00000000007E9000-memory.dmp

Filesize
164KB

Download
memory/2812-148-0x0000000000570000-0x0000000000586000-memory.dmp

Filesize
88KB

Download
memory/2812-150-0x00000000029F0000-0x0000000002D3A000-memory.dmp

Filesize
3.3MB

Download
memory/2812-151-0x0000000002740000-0x00000000027D0000-memory.dmp

Filesize
576KB

Download
memory/3020-147-0x0000000009240000-0x00000000093AD000-memory.dmp

Filesize
1.4MB

Download
memory/3020-140-0x0000000008A70000-0x0000000008B77000-memory.dmp

Filesize
1.0MB

Download
memory/3020-152-0x000000000AAF0000-0x000000000AC34000-memory.dmp

Filesize
1.3MB

Download
memory/3176-143-0x0000022789600000-0x0000022789604000-memory.dmp

Filesize
16KB

Download
memory/3176-142-0x0000022786F20000-0x0000022786F30000-memory.dmp

Filesize
64KB

Download
memory/3176-141-0x0000022786980000-0x0000022786990000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads