xloader | cd4c3c2bd35873b1645f1c991feb8c9bd6a0e920b64075114c26ea8e74a4c1c4

General

Target

cd4c3c2bd35873b1645f1c991feb8c9bd6a0e920b64075114c26ea8e74a4c1c4.exe
Size

409KB
MD5

bc8aa22ea84d7c15414faa6e52baf2f6
SHA1

3d1beb573a7040b35b0783c2215d1f4ce674e1a8
SHA256

cd4c3c2bd35873b1645f1c991feb8c9bd6a0e920b64075114c26ea8e74a4c1c4
SHA512

fc9eeeadaa8f910bec3a7d2e91c70a15dc68b73cd725c12e4e102fc42be8619a7d8590b4a4276e0d3f017bed5686b48e5f70d2c75a20641ca24f5c8c5af02234

Score

10^/10

xloader ahc8 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3876-119-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/3876-123-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/3420-129-0x0000000003100000-0x0000000003129000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

cscript.exe

flow pid process

21 3420 cscript.exe
Executes dropped EXE 2 IoCs

Processes:

nbutivrxkc.exenbutivrxkc.exe

pid process

4156 nbutivrxkc.exe
3876 nbutivrxkc.exe

flow	pid	process
21	3420	cscript.exe

pid	process
4156	nbutivrxkc.exe
3876	nbutivrxkc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

nbutivrxkc.exenbutivrxkc.execscript.exe

description	pid	process	target process
PID 4156 set thread context of 3876	4156	nbutivrxkc.exe	nbutivrxkc.exe
PID 3876 set thread context of 3032	3876	nbutivrxkc.exe	Explorer.EXE
PID 3420 set thread context of 3032	3420	cscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

nbutivrxkc.execscript.exe

pid	process
3876	nbutivrxkc.exe
3876	nbutivrxkc.exe
3876	nbutivrxkc.exe
3876	nbutivrxkc.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe
3420	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3032 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

nbutivrxkc.execscript.exe

pid process

3876 nbutivrxkc.exe
3876 nbutivrxkc.exe
3876 nbutivrxkc.exe
3420 cscript.exe
3420 cscript.exe

pid	process
3032	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

nbutivrxkc.execscript.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3876	nbutivrxkc.exe
Token: SeDebugPrivilege	3420	cscript.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cd4c3c2bd35873b1645f1c991feb8c9bd6a0e920b64075114c26ea8e74a4c1c4.exenbutivrxkc.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 5108 wrote to memory of 4156	5108	cd4c3c2bd35873b1645f1c991feb8c9bd6a0e920b64075114c26ea8e74a4c1c4.exe	nbutivrxkc.exe
PID 5108 wrote to memory of 4156	5108	cd4c3c2bd35873b1645f1c991feb8c9bd6a0e920b64075114c26ea8e74a4c1c4.exe	nbutivrxkc.exe
PID 5108 wrote to memory of 4156	5108	cd4c3c2bd35873b1645f1c991feb8c9bd6a0e920b64075114c26ea8e74a4c1c4.exe	nbutivrxkc.exe
PID 4156 wrote to memory of 3876	4156	nbutivrxkc.exe	nbutivrxkc.exe
PID 4156 wrote to memory of 3876	4156	nbutivrxkc.exe	nbutivrxkc.exe
PID 4156 wrote to memory of 3876	4156	nbutivrxkc.exe	nbutivrxkc.exe
PID 4156 wrote to memory of 3876	4156	nbutivrxkc.exe	nbutivrxkc.exe
PID 4156 wrote to memory of 3876	4156	nbutivrxkc.exe	nbutivrxkc.exe
PID 4156 wrote to memory of 3876	4156	nbutivrxkc.exe	nbutivrxkc.exe
PID 3032 wrote to memory of 3420	3032	Explorer.EXE	cscript.exe
PID 3032 wrote to memory of 3420	3032	Explorer.EXE	cscript.exe
PID 3032 wrote to memory of 3420	3032	Explorer.EXE	cscript.exe
PID 3420 wrote to memory of 3672	3420	cscript.exe	cmd.exe
PID 3420 wrote to memory of 3672	3420	cscript.exe	cmd.exe
PID 3420 wrote to memory of 3672	3420	cscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\cd4c3c2bd35873b1645f1c991feb8c9bd6a0e920b64075114c26ea8e74a4c1c4.exe
"C:\Users\Admin\AppData\Local\Temp\cd4c3c2bd35873b1645f1c991feb8c9bd6a0e920b64075114c26ea8e74a4c1c4.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5108

C:\Users\Admin\AppData\Local\Temp\nbutivrxkc.exe
C:\Users\Admin\AppData\Local\Temp\nbutivrxkc.exe C:\Users\Admin\AppData\Local\Temp\efhgpmycu
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4156

C:\Users\Admin\AppData\Local\Temp\nbutivrxkc.exe
C:\Users\Admin\AppData\Local\Temp\nbutivrxkc.exe C:\Users\Admin\AppData\Local\Temp\efhgpmycu
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\nbutivrxkc.exe"
3⤵
PID:3672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3thcqyo8k432f
MD5
80d510dca0072a3a7eb2f77924fafa9e

SHA1
2b0eafc6fdfadbd8ff215a3d9e90630283f33737

SHA256
09cf0a4e5c932a5c1c7c3549fbdeae041334e02d0dc0482bc803ff8a80685008

SHA512
90aff62f0aea024bce6fe8497a9a49a5062558d380e0c2b4ced5acbe00d38b525b15e7447266caa6764f64521b35163a505fc25c96f8e8dde8378b6d3b667ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\efhgpmycu
MD5
d7da3dc51b4b2703cf68607497899fe3

SHA1
9b51f6194c5f52bf8bbdc5af605d5682a3d3ae15

SHA256
ad2ace9c45df2f7e93e1d6d50b58e14949873dc92da8529f684e429e1089c466

SHA512
b763032639214e05613e3c7e5dd44dc319fc0750874363a934cae781c321323b1e10750668a174be9b16041a4a46a0d3ed812bf4daf29e56d6eb51c98b9dd143

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbutivrxkc.exe
MD5
7bc8aed6c1675063724c2d8e638ff0dd

SHA1
51b525db185e226265c14b129eaecac6726284be

SHA256
8bd46909b3b4c292f7d35ada0756cca34fb39047c0065f8f6f96191a8c35eec0

SHA512
96f2c224afa0c2a7c3b73554f708bccc5e2c261f0ed6b0b8d94c93335fc706702c5d6164dbf9c8514a27dca369d03e20171e350efa78a04075f4b7ffa5089fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbutivrxkc.exe
MD5
7bc8aed6c1675063724c2d8e638ff0dd

SHA1
51b525db185e226265c14b129eaecac6726284be

SHA256
8bd46909b3b4c292f7d35ada0756cca34fb39047c0065f8f6f96191a8c35eec0

SHA512
96f2c224afa0c2a7c3b73554f708bccc5e2c261f0ed6b0b8d94c93335fc706702c5d6164dbf9c8514a27dca369d03e20171e350efa78a04075f4b7ffa5089fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbutivrxkc.exe
MD5
7bc8aed6c1675063724c2d8e638ff0dd

SHA1
51b525db185e226265c14b129eaecac6726284be

SHA256
8bd46909b3b4c292f7d35ada0756cca34fb39047c0065f8f6f96191a8c35eec0

SHA512
96f2c224afa0c2a7c3b73554f708bccc5e2c261f0ed6b0b8d94c93335fc706702c5d6164dbf9c8514a27dca369d03e20171e350efa78a04075f4b7ffa5089fab

Download Submit
memory/3032-131-0x0000000003350000-0x0000000003440000-memory.dmp

Filesize
960KB

Download
memory/3032-126-0x0000000005860000-0x00000000059FC000-memory.dmp

Filesize
1.6MB

Download
memory/3420-128-0x00000000047B0000-0x0000000004AD0000-memory.dmp

Filesize
3.1MB

Download
memory/3420-130-0x0000000004B60000-0x0000000004BF0000-memory.dmp

Filesize
576KB

Download
memory/3420-129-0x0000000003100000-0x0000000003129000-memory.dmp

Filesize
164KB

Download
memory/3420-127-0x0000000000150000-0x0000000000177000-memory.dmp

Filesize
156KB

Download
memory/3876-119-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3876-124-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/3876-125-0x0000000000D00000-0x0000000000D11000-memory.dmp

Filesize
68KB

Download
memory/3876-123-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3876-122-0x0000000000990000-0x0000000000CB0000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads