xloader | 35295675b2fbd8ff9900336325e3324270f083705fd0cf51f4ef28763430cdd6

General

Target

INV21029.exe
Size

577KB
MD5

740dd9c14dea0b98df6ad434abfe789e
SHA1

cbec4d898e68c12fb7dcaddb17d0aca16e8e0e7b
SHA256

35295675b2fbd8ff9900336325e3324270f083705fd0cf51f4ef28763430cdd6
SHA512

66041e42091e83889a6da93c4242a01a0a3122774dc2db8baf909fb0ec6b0d6e847183ac92a24f2ca99f99de7dd4abddddda4a908887f354e3a333202bc0a66e

Score

10^/10

xloader ahc8 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/268-62-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/780-70-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

reqbqonire.exereqbqonire.exe

pid process

952 reqbqonire.exe
268 reqbqonire.exe
Loads dropped DLL 2 IoCs

Processes:

INV21029.exereqbqonire.exe

pid process

1144 INV21029.exe
952 reqbqonire.exe

pid	process
952	reqbqonire.exe
268	reqbqonire.exe

pid	process
1144	INV21029.exe
952	reqbqonire.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

reqbqonire.exereqbqonire.exewlanext.exe

description	pid	process	target process
PID 952 set thread context of 268	952	reqbqonire.exe	reqbqonire.exe
PID 268 set thread context of 1368	268	reqbqonire.exe	Explorer.EXE
PID 780 set thread context of 1368	780	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

reqbqonire.exewlanext.exe

pid	process
268	reqbqonire.exe
268	reqbqonire.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe
780	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1368 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

reqbqonire.exewlanext.exe

pid process

268 reqbqonire.exe
268 reqbqonire.exe
268 reqbqonire.exe
780 wlanext.exe
780 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

reqbqonire.exewlanext.exe

description pid process

Token: SeDebugPrivilege 268 reqbqonire.exe
Token: SeDebugPrivilege 780 wlanext.exe

pid	process
1368	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	268	reqbqonire.exe
Token: SeDebugPrivilege	780	wlanext.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

INV21029.exereqbqonire.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 1144 wrote to memory of 952	1144	INV21029.exe	reqbqonire.exe
PID 1144 wrote to memory of 952	1144	INV21029.exe	reqbqonire.exe
PID 1144 wrote to memory of 952	1144	INV21029.exe	reqbqonire.exe
PID 1144 wrote to memory of 952	1144	INV21029.exe	reqbqonire.exe
PID 952 wrote to memory of 268	952	reqbqonire.exe	reqbqonire.exe
PID 952 wrote to memory of 268	952	reqbqonire.exe	reqbqonire.exe
PID 952 wrote to memory of 268	952	reqbqonire.exe	reqbqonire.exe
PID 952 wrote to memory of 268	952	reqbqonire.exe	reqbqonire.exe
PID 952 wrote to memory of 268	952	reqbqonire.exe	reqbqonire.exe
PID 952 wrote to memory of 268	952	reqbqonire.exe	reqbqonire.exe
PID 952 wrote to memory of 268	952	reqbqonire.exe	reqbqonire.exe
PID 1368 wrote to memory of 780	1368	Explorer.EXE	wlanext.exe
PID 1368 wrote to memory of 780	1368	Explorer.EXE	wlanext.exe
PID 1368 wrote to memory of 780	1368	Explorer.EXE	wlanext.exe
PID 1368 wrote to memory of 780	1368	Explorer.EXE	wlanext.exe
PID 780 wrote to memory of 1384	780	wlanext.exe	cmd.exe
PID 780 wrote to memory of 1384	780	wlanext.exe	cmd.exe
PID 780 wrote to memory of 1384	780	wlanext.exe	cmd.exe
PID 780 wrote to memory of 1384	780	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\INV21029.exe
  "C:\Users\Admin\AppData\Local\Temp\INV21029.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe
    C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe C:\Users\Admin\AppData\Local\Temp\truuumm
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe
      C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe C:\Users\Admin\AppData\Local\Temp\truuumm
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:268
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe"
    3⤵
    PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1djuqculeikkmhtz2x2

MD5
199f72b6103b1ad570f3a810d06c332a

SHA1
43b9341301394deec3c674cf98fc3c6cc629ee2b

SHA256
a61bbd1659ba2338fe6e4df411d709834285b54991c403ba07bc9459af5320fc

SHA512
0ce6be58193b0bcdccd003218597ce8f6bd0de35563c32d28c2e111903445f12ece5fa0a536dd2b79153b9c265c10a6ec17f8ef67b11edb95d155c0f502adeb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe

MD5
b83e207b80ad38dccaf5b38b9a64cf97

SHA1
a28cba27c256021902f8150d47ced82565bb8558

SHA256
97658ad1a093a80ac9f16949b1971079bbdddc8cdd3515bb681b821203794741

SHA512
190ee397a064ca8caf6e0625a79ab764d7bae84007790b2157804f9ae2f16454d430c17402b4d7df76ce5cdea24b3f56d2298c56a5a38215fd9a65fb8e68e0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe

MD5
b83e207b80ad38dccaf5b38b9a64cf97

SHA1
a28cba27c256021902f8150d47ced82565bb8558

SHA256
97658ad1a093a80ac9f16949b1971079bbdddc8cdd3515bb681b821203794741

SHA512
190ee397a064ca8caf6e0625a79ab764d7bae84007790b2157804f9ae2f16454d430c17402b4d7df76ce5cdea24b3f56d2298c56a5a38215fd9a65fb8e68e0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe

MD5
b83e207b80ad38dccaf5b38b9a64cf97

SHA1
a28cba27c256021902f8150d47ced82565bb8558

SHA256
97658ad1a093a80ac9f16949b1971079bbdddc8cdd3515bb681b821203794741

SHA512
190ee397a064ca8caf6e0625a79ab764d7bae84007790b2157804f9ae2f16454d430c17402b4d7df76ce5cdea24b3f56d2298c56a5a38215fd9a65fb8e68e0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\truuumm

MD5
0a99632c69bc8d3fe6231d0a50bff785

SHA1
ad875f4428f17d0474be5ee8667158bd14d10f22

SHA256
0a11eae20268581b0ad9c67defaf1a4dc4bf183ede922eca10c5da698eec8078

SHA512
93905216a40975163edfcc94cf3c55c40a27e4cf7143d028ef6c5caead6ceaaa1504bd4c5a05d043d61be3df08991ea7e1e8c98cdfafd9d8744ccacdc5d7de2f

Download Submit
\Users\Admin\AppData\Local\Temp\reqbqonire.exe

MD5
b83e207b80ad38dccaf5b38b9a64cf97

SHA1
a28cba27c256021902f8150d47ced82565bb8558

SHA256
97658ad1a093a80ac9f16949b1971079bbdddc8cdd3515bb681b821203794741

SHA512
190ee397a064ca8caf6e0625a79ab764d7bae84007790b2157804f9ae2f16454d430c17402b4d7df76ce5cdea24b3f56d2298c56a5a38215fd9a65fb8e68e0a6

Download Submit
\Users\Admin\AppData\Local\Temp\reqbqonire.exe

MD5
b83e207b80ad38dccaf5b38b9a64cf97

SHA1
a28cba27c256021902f8150d47ced82565bb8558

SHA256
97658ad1a093a80ac9f16949b1971079bbdddc8cdd3515bb681b821203794741

SHA512
190ee397a064ca8caf6e0625a79ab764d7bae84007790b2157804f9ae2f16454d430c17402b4d7df76ce5cdea24b3f56d2298c56a5a38215fd9a65fb8e68e0a6

Download Submit
memory/268-67-0x0000000000340000-0x0000000000351000-memory.dmp

Filesize
68KB

Download
memory/268-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/268-66-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/268-65-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download
memory/780-70-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/780-71-0x0000000002110000-0x0000000002413000-memory.dmp

Filesize
3.0MB

Download
memory/780-69-0x0000000000CF0000-0x0000000000D06000-memory.dmp

Filesize
88KB

Download
memory/780-72-0x0000000000370000-0x0000000000400000-memory.dmp

Filesize
576KB

Download
memory/1144-54-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1368-68-0x0000000006B70000-0x0000000006CA0000-memory.dmp

Filesize
1.2MB

Download
memory/1368-73-0x0000000003D80000-0x0000000003E9D000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads