xloader | 6cd98e5cee60f33ca33f4e49d5f230feb6152510230abd25f8b5beab47e2afec

General

Target

Order-826141730-pdf.exe
Size

289KB
MD5

8a43982e93e888387968e03fafb14fd1
SHA1

6328f5db0bd9a28dcfb71b936c6835c375299551
SHA256

6cd98e5cee60f33ca33f4e49d5f230feb6152510230abd25f8b5beab47e2afec
SHA512

68e5b99a36934d0afc494c18607731b146e069b431c210684016b21c48db3b1c3c876084a3641a0a7a59b01fce1c28d9e9210a55666cb62a24170e45b204d113

Score

10^/10

xloader uar3 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uar3

Decoy

sgadvocats.com

mjscannabus.com

hilldaley.com

ksdollhouse.com

hotgiftboutique.com

purebloodsmeet.com

relaunched.info

cap-glove.com

productcollection.store

fulikyy.xyz

remoteaviationjobs.com

bestcleancrystal.com

virtualorganizationpartner.com

bookgocar.com

hattuafhv.quest

makonigroup.com

officecom-myaccount.com

malgorzata-lac.com

e-learningeducators.com

hygilaur.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/800-62-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/800-69-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/516-74-0x00000000000C0000-0x00000000000E9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

luficfbm.exeluficfbm.exe

pid process

1876 luficfbm.exe
800 luficfbm.exe
Loads dropped DLL 2 IoCs

Processes:

Order-826141730-pdf.exeluficfbm.exe

pid process

1760 Order-826141730-pdf.exe
1876 luficfbm.exe

pid	process
1876	luficfbm.exe
800	luficfbm.exe

pid	process
1760	Order-826141730-pdf.exe
1876	luficfbm.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

luficfbm.exeluficfbm.exechkdsk.exe

description	pid	process	target process
PID 1876 set thread context of 800	1876	luficfbm.exe	luficfbm.exe
PID 800 set thread context of 1248	800	luficfbm.exe	Explorer.EXE
PID 800 set thread context of 1248	800	luficfbm.exe	Explorer.EXE
PID 516 set thread context of 1248	516	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

luficfbm.exechkdsk.exe

pid	process
800	luficfbm.exe
800	luficfbm.exe
800	luficfbm.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe
516	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

luficfbm.exechkdsk.exe

pid process

800 luficfbm.exe
800 luficfbm.exe
800 luficfbm.exe
800 luficfbm.exe
516 chkdsk.exe
516 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

luficfbm.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 800 luficfbm.exe
Token: SeDebugPrivilege 516 chkdsk.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE

pid	process
1248	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	800	luficfbm.exe
Token: SeDebugPrivilege	516	chkdsk.exe

pid	process
1248	Explorer.EXE
1248	Explorer.EXE

pid	process
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Order-826141730-pdf.exeluficfbm.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 1760 wrote to memory of 1876	1760	Order-826141730-pdf.exe	luficfbm.exe
PID 1760 wrote to memory of 1876	1760	Order-826141730-pdf.exe	luficfbm.exe
PID 1760 wrote to memory of 1876	1760	Order-826141730-pdf.exe	luficfbm.exe
PID 1760 wrote to memory of 1876	1760	Order-826141730-pdf.exe	luficfbm.exe
PID 1876 wrote to memory of 800	1876	luficfbm.exe	luficfbm.exe
PID 1876 wrote to memory of 800	1876	luficfbm.exe	luficfbm.exe
PID 1876 wrote to memory of 800	1876	luficfbm.exe	luficfbm.exe
PID 1876 wrote to memory of 800	1876	luficfbm.exe	luficfbm.exe
PID 1876 wrote to memory of 800	1876	luficfbm.exe	luficfbm.exe
PID 1876 wrote to memory of 800	1876	luficfbm.exe	luficfbm.exe
PID 1876 wrote to memory of 800	1876	luficfbm.exe	luficfbm.exe
PID 1248 wrote to memory of 516	1248	Explorer.EXE	chkdsk.exe
PID 1248 wrote to memory of 516	1248	Explorer.EXE	chkdsk.exe
PID 1248 wrote to memory of 516	1248	Explorer.EXE	chkdsk.exe
PID 1248 wrote to memory of 516	1248	Explorer.EXE	chkdsk.exe
PID 516 wrote to memory of 976	516	chkdsk.exe	cmd.exe
PID 516 wrote to memory of 976	516	chkdsk.exe	cmd.exe
PID 516 wrote to memory of 976	516	chkdsk.exe	cmd.exe
PID 516 wrote to memory of 976	516	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\Order-826141730-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Order-826141730-pdf.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\luficfbm.exe
C:\Users\Admin\AppData\Local\Temp\luficfbm.exe C:\Users\Admin\AppData\Local\Temp\mtuwtwg
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Local\Temp\luficfbm.exe
C:\Users\Admin\AppData\Local\Temp\luficfbm.exe C:\Users\Admin\AppData\Local\Temp\mtuwtwg
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\luficfbm.exe"
3⤵
PID:976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\luficfbm.exe
MD5
4af5b3b1cd041ab843382f93ad6c2789

SHA1
9759a4fce91218ff80001013c7cf9e30d4314f39

SHA256
16c24c9af6ea42b6922724eeaf4041f828d873385c5311487038c3717fc299e2

SHA512
a0ea24ed5ee97c33b46158986120c053b0fecda7b06585c4d3a77aebbf784af3d2f17a3a0e1675654c94d5684cd9efb8fbb207dd8e8cc4b71765c409e0262f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\luficfbm.exe
MD5
4af5b3b1cd041ab843382f93ad6c2789

SHA1
9759a4fce91218ff80001013c7cf9e30d4314f39

SHA256
16c24c9af6ea42b6922724eeaf4041f828d873385c5311487038c3717fc299e2

SHA512
a0ea24ed5ee97c33b46158986120c053b0fecda7b06585c4d3a77aebbf784af3d2f17a3a0e1675654c94d5684cd9efb8fbb207dd8e8cc4b71765c409e0262f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\luficfbm.exe
MD5
4af5b3b1cd041ab843382f93ad6c2789

SHA1
9759a4fce91218ff80001013c7cf9e30d4314f39

SHA256
16c24c9af6ea42b6922724eeaf4041f828d873385c5311487038c3717fc299e2

SHA512
a0ea24ed5ee97c33b46158986120c053b0fecda7b06585c4d3a77aebbf784af3d2f17a3a0e1675654c94d5684cd9efb8fbb207dd8e8cc4b71765c409e0262f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtuwtwg
MD5
931fd4faa392ee85e6ed59c5e06f7f8b

SHA1
ab429dd4705545aa185c4df3dfce804dd7dcb70c

SHA256
d0a32dc4668f9040fea078eb8a193bddf98eae674432cbaeb6815a9c84002c97

SHA512
0c31e3ccdc4c9a9ce4b6e1478a6d2c162a6973a622efbd750d1986b54502299d54562582660975872ef1388361230194dc5270f9c2e0d32192dca2ac92c52e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\yib77mookzpru4zy99d3
MD5
9f97f3b2bc9603438f9ba0151c38c7b3

SHA1
ea9b86f66c0d796ddb8cb02077855e06a749d07c

SHA256
e26b5dbc7d4d377e67c7bcf76e36cca9d3e40c38c72682b939ef79532200b385

SHA512
b480ec729c98ebe9274651e04bd6444a09b7e5307450532e66e51884a0436970e702161aa922ad0e2c05a03aa7c1209abbbebe721b75388d1f075a4a847b675c

Download Submit
\Users\Admin\AppData\Local\Temp\luficfbm.exe
MD5
4af5b3b1cd041ab843382f93ad6c2789

SHA1
9759a4fce91218ff80001013c7cf9e30d4314f39

SHA256
16c24c9af6ea42b6922724eeaf4041f828d873385c5311487038c3717fc299e2

SHA512
a0ea24ed5ee97c33b46158986120c053b0fecda7b06585c4d3a77aebbf784af3d2f17a3a0e1675654c94d5684cd9efb8fbb207dd8e8cc4b71765c409e0262f94

Download Submit
\Users\Admin\AppData\Local\Temp\luficfbm.exe
MD5
4af5b3b1cd041ab843382f93ad6c2789

SHA1
9759a4fce91218ff80001013c7cf9e30d4314f39

SHA256
16c24c9af6ea42b6922724eeaf4041f828d873385c5311487038c3717fc299e2

SHA512
a0ea24ed5ee97c33b46158986120c053b0fecda7b06585c4d3a77aebbf784af3d2f17a3a0e1675654c94d5684cd9efb8fbb207dd8e8cc4b71765c409e0262f94

Download Submit
memory/516-74-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/516-76-0x0000000000830000-0x00000000008C0000-memory.dmp

Filesize
576KB

Download
memory/516-75-0x0000000002140000-0x0000000002443000-memory.dmp

Filesize
3.0MB

Download
memory/516-73-0x00000000008D0000-0x00000000008D7000-memory.dmp

Filesize
28KB

Download
memory/800-66-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/800-67-0x0000000000480000-0x0000000000491000-memory.dmp

Filesize
68KB

Download
memory/800-69-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/800-71-0x00000000004D0000-0x00000000004E1000-memory.dmp

Filesize
68KB

Download
memory/800-70-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/800-65-0x00000000006E0000-0x00000000009E3000-memory.dmp

Filesize
3.0MB

Download
memory/800-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1248-72-0x00000000076D0000-0x000000000783C000-memory.dmp

Filesize
1.4MB

Download
memory/1248-68-0x00000000073D0000-0x0000000007555000-memory.dmp

Filesize
1.5MB

Download
memory/1248-77-0x00000000061F0000-0x00000000062EB000-memory.dmp

Filesize
1004KB

Download
memory/1760-54-0x0000000075341000-0x0000000075343000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads