xloader | 3353fe4567105c292bdae27525448f7d7a5d0b174e097355ff04e75057dd63f3

General

Target

RECEIPT REF NO 002627262.exe
Size

302KB
MD5

5d333987aafbd8bf8df57e9b9e56b4ac
SHA1

c7bc50b60c4b20e1bf40eed679def38e46c0fb13
SHA256

3353fe4567105c292bdae27525448f7d7a5d0b174e097355ff04e75057dd63f3
SHA512

38eccdd1bd52da95835c8305257aa0b548a7582d04a87f2c06e82365cf00fdd699cb6ecc46b40146a658b9f4efae562141d809ad7b05ddfebc5d694b6417e517

Score

10^/10

xloader rmfg loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

rmfg

Decoy

prospectcompounding.com

grand-prix.voyage

solvingpklogc.xyz

eliamhome.com

gamevip88.club

arsels.info

dswlt.com

dchehe.com

lawyerjerusalem.com

pbnseo.xyz

apuryifuid.com

kiukiupoker88.net

leannonimpact.com

kare-furniture.com

mississaugaremax.online

zpyh198.com

dueplay.store

naimi.ltd

greenstepspodiatry.com

cewirtanen.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1804-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1804-66-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/660-73-0x0000000000100000-0x0000000000129000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

wpxizwm.exewpxizwm.exe

pid process

1868 wpxizwm.exe
1804 wpxizwm.exe
Loads dropped DLL 2 IoCs

Processes:

RECEIPT REF NO 002627262.exewpxizwm.exe

pid process

1048 RECEIPT REF NO 002627262.exe
1868 wpxizwm.exe

pid	process
1868	wpxizwm.exe
1804	wpxizwm.exe

pid	process
1048	RECEIPT REF NO 002627262.exe
1868	wpxizwm.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

wpxizwm.exewpxizwm.execolorcpl.exe

description	pid	process	target process
PID 1868 set thread context of 1804	1868	wpxizwm.exe	wpxizwm.exe
PID 1804 set thread context of 1220	1804	wpxizwm.exe	Explorer.EXE
PID 660 set thread context of 1220	660	colorcpl.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

wpxizwm.execolorcpl.exe

pid	process
1804	wpxizwm.exe
1804	wpxizwm.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe
660	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

wpxizwm.execolorcpl.exe

pid process

1804 wpxizwm.exe
1804 wpxizwm.exe
1804 wpxizwm.exe
660 colorcpl.exe
660 colorcpl.exe

pid	process
1220	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

wpxizwm.execolorcpl.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1804	wpxizwm.exe
Token: SeDebugPrivilege	660	colorcpl.exe
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: SeShutdownPrivilege	1220	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE

pid	process
1220	Explorer.EXE
1220	Explorer.EXE

pid	process
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

RECEIPT REF NO 002627262.exewpxizwm.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 1048 wrote to memory of 1868	1048	RECEIPT REF NO 002627262.exe	wpxizwm.exe
PID 1048 wrote to memory of 1868	1048	RECEIPT REF NO 002627262.exe	wpxizwm.exe
PID 1048 wrote to memory of 1868	1048	RECEIPT REF NO 002627262.exe	wpxizwm.exe
PID 1048 wrote to memory of 1868	1048	RECEIPT REF NO 002627262.exe	wpxizwm.exe
PID 1868 wrote to memory of 1804	1868	wpxizwm.exe	wpxizwm.exe
PID 1868 wrote to memory of 1804	1868	wpxizwm.exe	wpxizwm.exe
PID 1868 wrote to memory of 1804	1868	wpxizwm.exe	wpxizwm.exe
PID 1868 wrote to memory of 1804	1868	wpxizwm.exe	wpxizwm.exe
PID 1868 wrote to memory of 1804	1868	wpxizwm.exe	wpxizwm.exe
PID 1868 wrote to memory of 1804	1868	wpxizwm.exe	wpxizwm.exe
PID 1868 wrote to memory of 1804	1868	wpxizwm.exe	wpxizwm.exe
PID 1220 wrote to memory of 660	1220	Explorer.EXE	colorcpl.exe
PID 1220 wrote to memory of 660	1220	Explorer.EXE	colorcpl.exe
PID 1220 wrote to memory of 660	1220	Explorer.EXE	colorcpl.exe
PID 1220 wrote to memory of 660	1220	Explorer.EXE	colorcpl.exe
PID 660 wrote to memory of 972	660	colorcpl.exe	cmd.exe
PID 660 wrote to memory of 972	660	colorcpl.exe	cmd.exe
PID 660 wrote to memory of 972	660	colorcpl.exe	cmd.exe
PID 660 wrote to memory of 972	660	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\RECEIPT REF NO 002627262.exe
"C:\Users\Admin\AppData\Local\Temp\RECEIPT REF NO 002627262.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\wpxizwm.exe
C:\Users\Admin\AppData\Local\Temp\wpxizwm.exe C:\Users\Admin\AppData\Local\Temp\vdean
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Local\Temp\wpxizwm.exe
C:\Users\Admin\AppData\Local\Temp\wpxizwm.exe C:\Users\Admin\AppData\Local\Temp\vdean
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\wpxizwm.exe"
3⤵
PID:972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vdean
MD5
a04faf63da2fbfb5679e41d04140939e

SHA1
b8d6dbb0f2fafdeeead79c0cd62326cda95a8785

SHA256
c6144a6b0af2eaaa5b1226448b012740bcad08bc401a4f697d755b571c066a7c

SHA512
cd98d5fc8708992769cd7d792c3bd09624983e548e949a9844677f58ddf51c5f2cd479b2e05ae734054d8633f6cddf0127165c54903fec897a86bdef1ce7a866

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpxizwm.exe
MD5
05f07e533e418df0521a64d9af400daf

SHA1
43408653ea6d815bc7acb11a1328982c5e61aff8

SHA256
9371dfe491756a047f8617103536db01dfcf8a4dfac1530f598b0a6cb5981abd

SHA512
54ed026848c0b96a5c6a62629990bf0a6661502bf12e8b3a5fdd68a8678d956bb49bbccc5abc47a722043ff79d7db15844236e28d7a5ad2b150fb479eb4e974f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpxizwm.exe
MD5
05f07e533e418df0521a64d9af400daf

SHA1
43408653ea6d815bc7acb11a1328982c5e61aff8

SHA256
9371dfe491756a047f8617103536db01dfcf8a4dfac1530f598b0a6cb5981abd

SHA512
54ed026848c0b96a5c6a62629990bf0a6661502bf12e8b3a5fdd68a8678d956bb49bbccc5abc47a722043ff79d7db15844236e28d7a5ad2b150fb479eb4e974f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpxizwm.exe
MD5
05f07e533e418df0521a64d9af400daf

SHA1
43408653ea6d815bc7acb11a1328982c5e61aff8

SHA256
9371dfe491756a047f8617103536db01dfcf8a4dfac1530f598b0a6cb5981abd

SHA512
54ed026848c0b96a5c6a62629990bf0a6661502bf12e8b3a5fdd68a8678d956bb49bbccc5abc47a722043ff79d7db15844236e28d7a5ad2b150fb479eb4e974f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsyco49pmc4l
MD5
945121f49321875af38fe7f12dd2343e

SHA1
f2cf4c6a504815e362a18cce671b6c0b371629e1

SHA256
ff66241def80707fe029fefa54441de9eb88028c5cc33f20ef080cf2e04254e5

SHA512
1ca2a7f9c3e1c535514ebc9a5861c4f632a39354351e63a074081b864cd9592636781fe5714dad8472148ba1b5f0f41b104075556960aec73b3510f6ff3d6634

Download Submit
\Users\Admin\AppData\Local\Temp\wpxizwm.exe
MD5
05f07e533e418df0521a64d9af400daf

SHA1
43408653ea6d815bc7acb11a1328982c5e61aff8

SHA256
9371dfe491756a047f8617103536db01dfcf8a4dfac1530f598b0a6cb5981abd

SHA512
54ed026848c0b96a5c6a62629990bf0a6661502bf12e8b3a5fdd68a8678d956bb49bbccc5abc47a722043ff79d7db15844236e28d7a5ad2b150fb479eb4e974f

Download Submit
\Users\Admin\AppData\Local\Temp\wpxizwm.exe
MD5
05f07e533e418df0521a64d9af400daf

SHA1
43408653ea6d815bc7acb11a1328982c5e61aff8

SHA256
9371dfe491756a047f8617103536db01dfcf8a4dfac1530f598b0a6cb5981abd

SHA512
54ed026848c0b96a5c6a62629990bf0a6661502bf12e8b3a5fdd68a8678d956bb49bbccc5abc47a722043ff79d7db15844236e28d7a5ad2b150fb479eb4e974f

Download Submit
memory/660-75-0x00000000008B0000-0x0000000000940000-memory.dmp

Filesize
576KB

Download
memory/660-74-0x0000000000A00000-0x0000000000D03000-memory.dmp

Filesize
3.0MB

Download
memory/660-73-0x0000000000100000-0x0000000000129000-memory.dmp

Filesize
164KB

Download
memory/660-72-0x0000000000F30000-0x0000000000F48000-memory.dmp

Filesize
96KB

Download
memory/1048-54-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/1220-76-0x0000000006380000-0x0000000006473000-memory.dmp

Filesize
972KB

Download
memory/1220-70-0x0000000005E70000-0x0000000005FEC000-memory.dmp

Filesize
1.5MB

Download
memory/1804-66-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1804-69-0x0000000000360000-0x0000000000371000-memory.dmp

Filesize
68KB

Download
memory/1804-68-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/1804-67-0x0000000000920000-0x0000000000C23000-memory.dmp

Filesize
3.0MB

Download
memory/1804-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1868-62-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads