xloader | 37fb6b86524033fb07847e3550977bd8028701039465431bd89a33e870ff2c4d

General

Target

PAYMENT INSTRUCTIONS COPY.exe
Size

338KB
MD5

c3ed9e3e0a175a9b8cf5cf02598e99b1
SHA1

444452c7815dc8fb47ad829af43ec0527f6bcc57
SHA256

37fb6b86524033fb07847e3550977bd8028701039465431bd89a33e870ff2c4d
SHA512

632e314f921bf8a13f2f04aa2270b87fa7e29f00e35d941260f24c1d08b1bcfae8b58823629bed3d2c5d6bf480619c8aa97523ca33d1d68ce3ea2a90bd3fd363

Score

10^/10

xloader yrcy loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

yrcy

Decoy

sturlabas.com

tantrungcompany.com

wildgraceyogahealing.com

wsparalegal.com

8xhgq.xyz

mysaylav.com

amelntl.net

cooleshow.online

adventuresbydisneyathome.com

sprinklekart.com

prostitutkitambovasuck.info

pakdao.com

finsith.com

nightpartner82.xyz

sex9a4ufbj.com

ketohousee.com

mairie-les-cammazes.com

elebots.xyz

highqualityremodeling.net

teamsterslocal553.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1960-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/900-72-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

wljkjsd.exewljkjsd.exe

pid process

520 wljkjsd.exe
1960 wljkjsd.exe
Loads dropped DLL 2 IoCs

Processes:

PAYMENT INSTRUCTIONS COPY.exewljkjsd.exe

pid process

1320 PAYMENT INSTRUCTIONS COPY.exe
520 wljkjsd.exe

pid	process
520	wljkjsd.exe
1960	wljkjsd.exe

pid	process
1320	PAYMENT INSTRUCTIONS COPY.exe
520	wljkjsd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

wljkjsd.exewljkjsd.execontrol.exe

description	pid	process	target process
PID 520 set thread context of 1960	520	wljkjsd.exe	wljkjsd.exe
PID 1960 set thread context of 1380	1960	wljkjsd.exe	Explorer.EXE
PID 900 set thread context of 1380	900	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

wljkjsd.execontrol.exe

pid	process
1960	wljkjsd.exe
1960	wljkjsd.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe
900	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1380 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

wljkjsd.execontrol.exe

pid process

1960 wljkjsd.exe
1960 wljkjsd.exe
1960 wljkjsd.exe
900 control.exe
900 control.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wljkjsd.execontrol.exe

description pid process

Token: SeDebugPrivilege 1960 wljkjsd.exe
Token: SeDebugPrivilege 900 control.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1380 Explorer.EXE
1380 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1380 Explorer.EXE
1380 Explorer.EXE

pid	process
1380	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1960	wljkjsd.exe
Token: SeDebugPrivilege	900	control.exe

pid	process
1380	Explorer.EXE
1380	Explorer.EXE

pid	process
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

PAYMENT INSTRUCTIONS COPY.exewljkjsd.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 1320 wrote to memory of 520	1320	PAYMENT INSTRUCTIONS COPY.exe	wljkjsd.exe
PID 1320 wrote to memory of 520	1320	PAYMENT INSTRUCTIONS COPY.exe	wljkjsd.exe
PID 1320 wrote to memory of 520	1320	PAYMENT INSTRUCTIONS COPY.exe	wljkjsd.exe
PID 1320 wrote to memory of 520	1320	PAYMENT INSTRUCTIONS COPY.exe	wljkjsd.exe
PID 520 wrote to memory of 1960	520	wljkjsd.exe	wljkjsd.exe
PID 520 wrote to memory of 1960	520	wljkjsd.exe	wljkjsd.exe
PID 520 wrote to memory of 1960	520	wljkjsd.exe	wljkjsd.exe
PID 520 wrote to memory of 1960	520	wljkjsd.exe	wljkjsd.exe
PID 520 wrote to memory of 1960	520	wljkjsd.exe	wljkjsd.exe
PID 520 wrote to memory of 1960	520	wljkjsd.exe	wljkjsd.exe
PID 520 wrote to memory of 1960	520	wljkjsd.exe	wljkjsd.exe
PID 1380 wrote to memory of 900	1380	Explorer.EXE	control.exe
PID 1380 wrote to memory of 900	1380	Explorer.EXE	control.exe
PID 1380 wrote to memory of 900	1380	Explorer.EXE	control.exe
PID 1380 wrote to memory of 900	1380	Explorer.EXE	control.exe
PID 900 wrote to memory of 1592	900	control.exe	cmd.exe
PID 900 wrote to memory of 1592	900	control.exe	cmd.exe
PID 900 wrote to memory of 1592	900	control.exe	cmd.exe
PID 900 wrote to memory of 1592	900	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\PAYMENT INSTRUCTIONS COPY.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT INSTRUCTIONS COPY.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Local\Temp\wljkjsd.exe
C:\Users\Admin\AppData\Local\Temp\wljkjsd.exe C:\Users\Admin\AppData\Local\Temp\pgqbkgjy
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:520

C:\Users\Admin\AppData\Local\Temp\wljkjsd.exe
C:\Users\Admin\AppData\Local\Temp\wljkjsd.exe C:\Users\Admin\AppData\Local\Temp\pgqbkgjy
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\wljkjsd.exe"
3⤵
PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\etng0idfoqdhkohcnx7
MD5
ffe7b026299c5738fc187b8bca749ef8

SHA1
57caa3dbdb4c1bac77272d2e0c6b3b93cf78c538

SHA256
0daff89a1913ded569975ca099ec16ea00a58d4e5cfdea33a3b52dc2e07d46d6

SHA512
dc173e6ed76043e7c76ef6efb77c2d78d4baf7dc9da7b16d5f96ce8b6bf465a8d4d450287276825d016a6a03767543e464c8a2a7bc4c428826f2847d1cda9848

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgqbkgjy
MD5
a33814b64ecc9148ab1868b639f75be1

SHA1
4f510238bfe1f403b3bfe3499922bec93b507d99

SHA256
86797894904510b78874629fb9db43fa6a40b11deba5e4405bca62a439d7e79f

SHA512
c8e6eb3ebc6408ce036fa7f76dce55df72d1ecb980b77a09cf29ec3bb0289e6fc812f1674781f3f8695e3272b704bb42d6947b1f20bc40ff0be15725f00caf27

Download Submit
C:\Users\Admin\AppData\Local\Temp\wljkjsd.exe
MD5
ee563df427774a44926ed328f1380884

SHA1
334fe0d43590fe874d6400fb5abf20faadb26661

SHA256
31feeb18bb65c93ff4f1fe75825f1060d839aa7b9657df6d321b298cf45d324f

SHA512
673f2e2523fc62a131b585cd861db45bbf853747ea76161ae7e823832b965b81c209fc202ce15594ffcdafadf5ed9356af2f4330e04b0893a78ae0e8a6f32dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\wljkjsd.exe
MD5
ee563df427774a44926ed328f1380884

SHA1
334fe0d43590fe874d6400fb5abf20faadb26661

SHA256
31feeb18bb65c93ff4f1fe75825f1060d839aa7b9657df6d321b298cf45d324f

SHA512
673f2e2523fc62a131b585cd861db45bbf853747ea76161ae7e823832b965b81c209fc202ce15594ffcdafadf5ed9356af2f4330e04b0893a78ae0e8a6f32dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\wljkjsd.exe
MD5
ee563df427774a44926ed328f1380884

SHA1
334fe0d43590fe874d6400fb5abf20faadb26661

SHA256
31feeb18bb65c93ff4f1fe75825f1060d839aa7b9657df6d321b298cf45d324f

SHA512
673f2e2523fc62a131b585cd861db45bbf853747ea76161ae7e823832b965b81c209fc202ce15594ffcdafadf5ed9356af2f4330e04b0893a78ae0e8a6f32dda

Download Submit
\Users\Admin\AppData\Local\Temp\wljkjsd.exe
MD5
ee563df427774a44926ed328f1380884

SHA1
334fe0d43590fe874d6400fb5abf20faadb26661

SHA256
31feeb18bb65c93ff4f1fe75825f1060d839aa7b9657df6d321b298cf45d324f

SHA512
673f2e2523fc62a131b585cd861db45bbf853747ea76161ae7e823832b965b81c209fc202ce15594ffcdafadf5ed9356af2f4330e04b0893a78ae0e8a6f32dda

Download Submit
\Users\Admin\AppData\Local\Temp\wljkjsd.exe
MD5
ee563df427774a44926ed328f1380884

SHA1
334fe0d43590fe874d6400fb5abf20faadb26661

SHA256
31feeb18bb65c93ff4f1fe75825f1060d839aa7b9657df6d321b298cf45d324f

SHA512
673f2e2523fc62a131b585cd861db45bbf853747ea76161ae7e823832b965b81c209fc202ce15594ffcdafadf5ed9356af2f4330e04b0893a78ae0e8a6f32dda

Download Submit
memory/900-71-0x00000000005E0000-0x00000000005FF000-memory.dmp

Filesize
124KB

Download
memory/900-74-0x0000000001D70000-0x0000000001E00000-memory.dmp

Filesize
576KB

Download
memory/900-73-0x0000000001FB0000-0x00000000022B3000-memory.dmp

Filesize
3.0MB

Download
memory/900-72-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1320-55-0x0000000074B21000-0x0000000074B23000-memory.dmp

Filesize
8KB

Download
memory/1380-69-0x0000000007040000-0x0000000007153000-memory.dmp

Filesize
1.1MB

Download
memory/1380-75-0x00000000042B0000-0x000000000434E000-memory.dmp

Filesize
632KB

Download
memory/1960-68-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/1960-67-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/1960-65-0x0000000000860000-0x0000000000B63000-memory.dmp

Filesize
3.0MB

Download
memory/1960-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads