xloader | 37fb6b86524033fb07847e3550977bd8028701039465431bd89a33e870ff2c4d

General

Target

PAYMENT INSTRUCTIONS COPY.exe
Size

338KB
MD5

c3ed9e3e0a175a9b8cf5cf02598e99b1
SHA1

444452c7815dc8fb47ad829af43ec0527f6bcc57
SHA256

37fb6b86524033fb07847e3550977bd8028701039465431bd89a33e870ff2c4d
SHA512

632e314f921bf8a13f2f04aa2270b87fa7e29f00e35d941260f24c1d08b1bcfae8b58823629bed3d2c5d6bf480619c8aa97523ca33d1d68ce3ea2a90bd3fd363

Score

10^/10

xloader yrcy loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

yrcy

Decoy

sturlabas.com

tantrungcompany.com

wildgraceyogahealing.com

wsparalegal.com

8xhgq.xyz

mysaylav.com

amelntl.net

cooleshow.online

adventuresbydisneyathome.com

sprinklekart.com

prostitutkitambovasuck.info

pakdao.com

finsith.com

nightpartner82.xyz

sex9a4ufbj.com

ketohousee.com

mairie-les-cammazes.com

elebots.xyz

highqualityremodeling.net

teamsterslocal553.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3028-134-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3028-137-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4004-143-0x0000000000900000-0x0000000000929000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

wljkjsd.exewljkjsd.exe

pid process

2704 wljkjsd.exe
3028 wljkjsd.exe

pid	process
2704	wljkjsd.exe
3028	wljkjsd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

wljkjsd.exewljkjsd.exenetsh.exe

description	pid	process	target process
PID 2704 set thread context of 3028	2704	wljkjsd.exe	wljkjsd.exe
PID 3028 set thread context of 2416	3028	wljkjsd.exe	Explorer.EXE
PID 4004 set thread context of 2416	4004	netsh.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

wljkjsd.exenetsh.exe

pid	process
3028	wljkjsd.exe
3028	wljkjsd.exe
3028	wljkjsd.exe
3028	wljkjsd.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe
4004	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2416 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

wljkjsd.exenetsh.exe

pid process

3028 wljkjsd.exe
3028 wljkjsd.exe
3028 wljkjsd.exe
4004 netsh.exe
4004 netsh.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wljkjsd.exenetsh.exe

description pid process

Token: SeDebugPrivilege 3028 wljkjsd.exe
Token: SeDebugPrivilege 4004 netsh.exe

pid	process
2416	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3028	wljkjsd.exe
Token: SeDebugPrivilege	4004	netsh.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

PAYMENT INSTRUCTIONS COPY.exewljkjsd.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 1480 wrote to memory of 2704	1480	PAYMENT INSTRUCTIONS COPY.exe	wljkjsd.exe
PID 1480 wrote to memory of 2704	1480	PAYMENT INSTRUCTIONS COPY.exe	wljkjsd.exe
PID 1480 wrote to memory of 2704	1480	PAYMENT INSTRUCTIONS COPY.exe	wljkjsd.exe
PID 2704 wrote to memory of 3028	2704	wljkjsd.exe	wljkjsd.exe
PID 2704 wrote to memory of 3028	2704	wljkjsd.exe	wljkjsd.exe
PID 2704 wrote to memory of 3028	2704	wljkjsd.exe	wljkjsd.exe
PID 2704 wrote to memory of 3028	2704	wljkjsd.exe	wljkjsd.exe
PID 2704 wrote to memory of 3028	2704	wljkjsd.exe	wljkjsd.exe
PID 2704 wrote to memory of 3028	2704	wljkjsd.exe	wljkjsd.exe
PID 2416 wrote to memory of 4004	2416	Explorer.EXE	netsh.exe
PID 2416 wrote to memory of 4004	2416	Explorer.EXE	netsh.exe
PID 2416 wrote to memory of 4004	2416	Explorer.EXE	netsh.exe
PID 4004 wrote to memory of 4364	4004	netsh.exe	cmd.exe
PID 4004 wrote to memory of 4364	4004	netsh.exe	cmd.exe
PID 4004 wrote to memory of 4364	4004	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Local\Temp\PAYMENT INSTRUCTIONS COPY.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT INSTRUCTIONS COPY.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Local\Temp\wljkjsd.exe
C:\Users\Admin\AppData\Local\Temp\wljkjsd.exe C:\Users\Admin\AppData\Local\Temp\pgqbkgjy
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\wljkjsd.exe
C:\Users\Admin\AppData\Local\Temp\wljkjsd.exe C:\Users\Admin\AppData\Local\Temp\pgqbkgjy
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3288

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4640

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\wljkjsd.exe"
3⤵
PID:4364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\etng0idfoqdhkohcnx7
MD5
ffe7b026299c5738fc187b8bca749ef8

SHA1
57caa3dbdb4c1bac77272d2e0c6b3b93cf78c538

SHA256
0daff89a1913ded569975ca099ec16ea00a58d4e5cfdea33a3b52dc2e07d46d6

SHA512
dc173e6ed76043e7c76ef6efb77c2d78d4baf7dc9da7b16d5f96ce8b6bf465a8d4d450287276825d016a6a03767543e464c8a2a7bc4c428826f2847d1cda9848

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgqbkgjy
MD5
a33814b64ecc9148ab1868b639f75be1

SHA1
4f510238bfe1f403b3bfe3499922bec93b507d99

SHA256
86797894904510b78874629fb9db43fa6a40b11deba5e4405bca62a439d7e79f

SHA512
c8e6eb3ebc6408ce036fa7f76dce55df72d1ecb980b77a09cf29ec3bb0289e6fc812f1674781f3f8695e3272b704bb42d6947b1f20bc40ff0be15725f00caf27

Download Submit
C:\Users\Admin\AppData\Local\Temp\wljkjsd.exe
MD5
ee563df427774a44926ed328f1380884

SHA1
334fe0d43590fe874d6400fb5abf20faadb26661

SHA256
31feeb18bb65c93ff4f1fe75825f1060d839aa7b9657df6d321b298cf45d324f

SHA512
673f2e2523fc62a131b585cd861db45bbf853747ea76161ae7e823832b965b81c209fc202ce15594ffcdafadf5ed9356af2f4330e04b0893a78ae0e8a6f32dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\wljkjsd.exe
MD5
ee563df427774a44926ed328f1380884

SHA1
334fe0d43590fe874d6400fb5abf20faadb26661

SHA256
31feeb18bb65c93ff4f1fe75825f1060d839aa7b9657df6d321b298cf45d324f

SHA512
673f2e2523fc62a131b585cd861db45bbf853747ea76161ae7e823832b965b81c209fc202ce15594ffcdafadf5ed9356af2f4330e04b0893a78ae0e8a6f32dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\wljkjsd.exe
MD5
ee563df427774a44926ed328f1380884

SHA1
334fe0d43590fe874d6400fb5abf20faadb26661

SHA256
31feeb18bb65c93ff4f1fe75825f1060d839aa7b9657df6d321b298cf45d324f

SHA512
673f2e2523fc62a131b585cd861db45bbf853747ea76161ae7e823832b965b81c209fc202ce15594ffcdafadf5ed9356af2f4330e04b0893a78ae0e8a6f32dda

Download Submit
memory/2416-146-0x0000000007D40000-0x0000000007EA9000-memory.dmp

Filesize
1.4MB

Download
memory/2416-141-0x0000000007C20000-0x0000000007D40000-memory.dmp

Filesize
1.1MB

Download
memory/3028-139-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/3028-138-0x0000000000AA0000-0x0000000000DEA000-memory.dmp

Filesize
3.3MB

Download
memory/3028-140-0x0000000000510000-0x0000000000521000-memory.dmp

Filesize
68KB

Download
memory/3028-137-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3028-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4004-142-0x00000000010D0000-0x00000000010EE000-memory.dmp

Filesize
120KB

Download
memory/4004-143-0x0000000000900000-0x0000000000929000-memory.dmp

Filesize
164KB

Download
memory/4004-144-0x00000000012A0000-0x00000000015EA000-memory.dmp

Filesize
3.3MB

Download
memory/4004-145-0x0000000001000000-0x0000000001090000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads