xloader | 109bfc4f1d73233b058db08b761ad7c77a7bc43bfe2b10a71614e536c2e89d3a

General

Target

INV15420.exe
Size

42KB
MD5

a17204c4cc765969839d22f78bc125bb
SHA1

7f29c80d2fbc4c4a73f65684fb689543e202d684
SHA256

109bfc4f1d73233b058db08b761ad7c77a7bc43bfe2b10a71614e536c2e89d3a
SHA512

950daa0ff2917f37d71f84bcac7df96c856d0966338b563f480c92d59343938441be0ff93d8801a4dfdc5a4542b3f5b39a5ee9926e9be5b6a498f7e372da6f91

Score

10^/10

xloader ahc8 loader persistence rat spyware stealer suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3548-137-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3752-144-0x00000000001D0000-0x00000000001F9000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cmstp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YBJX0XHXAPX = "C:\\Program Files (x86)\\Bybhxv\\userv0_p.exe"	cmstp.exe

Blocklisted process makes network request 11 IoCs

Processes:

cmstp.exe

flow	pid	process
78	3752	cmstp.exe
114	3752	cmstp.exe
131	3752	cmstp.exe
182	3752	cmstp.exe
238	3752	cmstp.exe
250	3752	cmstp.exe
261	3752	cmstp.exe
317	3752	cmstp.exe
364	3752	cmstp.exe
375	3752	cmstp.exe
399	3752	cmstp.exe

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

userv0_p.exeuserv0_p.exe

pid process

2544 userv0_p.exe
636 userv0_p.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2544	userv0_p.exe
636	userv0_p.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

INV15420.exeINV15420.execmstp.exeuserv0_p.exe

description	pid	process	target process
PID 1000 set thread context of 3548	1000	INV15420.exe	INV15420.exe
PID 3548 set thread context of 2444	3548	INV15420.exe	Explorer.EXE
PID 3752 set thread context of 2444	3752	cmstp.exe	Explorer.EXE
PID 2544 set thread context of 636	2544	userv0_p.exe	userv0_p.exe

Drops file in Program Files directory 4 IoCs

Processes:

Explorer.EXEcmstp.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Bybhxv\userv0_p.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Bybhxv\userv0_p.exe	cmstp.exe
File opened for modification	C:\Program Files (x86)\Bybhxv	Explorer.EXE
File created	C:\Program Files (x86)\Bybhxv\userv0_p.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmstp.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

INV15420.execmstp.exe

pid	process
3548	INV15420.exe
3548	INV15420.exe
3548	INV15420.exe
3548	INV15420.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe
3752	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2444 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

INV15420.execmstp.exe

pid process

3548 INV15420.exe
3548 INV15420.exe
3548 INV15420.exe
3752 cmstp.exe
3752 cmstp.exe
3752 cmstp.exe
3752 cmstp.exe

pid	process
2444	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

INV15420.exeINV15420.execmstp.exeExplorer.EXEuserv0_p.exeuserv0_p.exe

description	pid	process
Token: SeDebugPrivilege	1000	INV15420.exe
Token: SeDebugPrivilege	3548	INV15420.exe
Token: SeDebugPrivilege	3752	cmstp.exe
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeDebugPrivilege	2544	userv0_p.exe
Token: SeDebugPrivilege	636	userv0_p.exe
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE
Token: SeShutdownPrivilege	2444	Explorer.EXE
Token: SeCreatePagefilePrivilege	2444	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

2444 Explorer.EXE
2444 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2444 Explorer.EXE

pid	process
2444	Explorer.EXE
2444	Explorer.EXE

pid	process
2444	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

INV15420.exeExplorer.EXEcmstp.exeuserv0_p.exe

description	pid	process	target process
PID 1000 wrote to memory of 3548	1000	INV15420.exe	INV15420.exe
PID 1000 wrote to memory of 3548	1000	INV15420.exe	INV15420.exe
PID 1000 wrote to memory of 3548	1000	INV15420.exe	INV15420.exe
PID 1000 wrote to memory of 3548	1000	INV15420.exe	INV15420.exe
PID 1000 wrote to memory of 3548	1000	INV15420.exe	INV15420.exe
PID 1000 wrote to memory of 3548	1000	INV15420.exe	INV15420.exe
PID 2444 wrote to memory of 3752	2444	Explorer.EXE	cmstp.exe
PID 2444 wrote to memory of 3752	2444	Explorer.EXE	cmstp.exe
PID 2444 wrote to memory of 3752	2444	Explorer.EXE	cmstp.exe
PID 3752 wrote to memory of 2840	3752	cmstp.exe	cmd.exe
PID 3752 wrote to memory of 2840	3752	cmstp.exe	cmd.exe
PID 3752 wrote to memory of 2840	3752	cmstp.exe	cmd.exe
PID 2444 wrote to memory of 2544	2444	Explorer.EXE	userv0_p.exe
PID 2444 wrote to memory of 2544	2444	Explorer.EXE	userv0_p.exe
PID 2444 wrote to memory of 2544	2444	Explorer.EXE	userv0_p.exe
PID 2544 wrote to memory of 636	2544	userv0_p.exe	userv0_p.exe
PID 2544 wrote to memory of 636	2544	userv0_p.exe	userv0_p.exe
PID 2544 wrote to memory of 636	2544	userv0_p.exe	userv0_p.exe
PID 2544 wrote to memory of 636	2544	userv0_p.exe	userv0_p.exe
PID 2544 wrote to memory of 636	2544	userv0_p.exe	userv0_p.exe
PID 2544 wrote to memory of 636	2544	userv0_p.exe	userv0_p.exe
PID 3752 wrote to memory of 1716	3752	cmstp.exe	cmd.exe
PID 3752 wrote to memory of 1716	3752	cmstp.exe	cmd.exe
PID 3752 wrote to memory of 1716	3752	cmstp.exe	cmd.exe
PID 3752 wrote to memory of 3048	3752	cmstp.exe	Firefox.exe
PID 3752 wrote to memory of 3048	3752	cmstp.exe	Firefox.exe
PID 3752 wrote to memory of 3048	3752	cmstp.exe	Firefox.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

cmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cmstp.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2444

C:\Users\Admin\AppData\Local\Temp\INV15420.exe
"C:\Users\Admin\AppData\Local\Temp\INV15420.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Local\Temp\INV15420.exe
"C:\Users\Admin\AppData\Local\Temp\INV15420.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Adds policy Run key to start application
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3752

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\INV15420.exe"
3⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:1716

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3048

C:\Program Files (x86)\Bybhxv\userv0_p.exe
"C:\Program Files (x86)\Bybhxv\userv0_p.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544

C:\Program Files (x86)\Bybhxv\userv0_p.exe
"C:\Program Files (x86)\Bybhxv\userv0_p.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wsappx -p
1⤵
PID:3612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wsappx -p
1⤵
PID:3812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Bybhxv\userv0_p.exe
MD5
a17204c4cc765969839d22f78bc125bb

SHA1
7f29c80d2fbc4c4a73f65684fb689543e202d684

SHA256
109bfc4f1d73233b058db08b761ad7c77a7bc43bfe2b10a71614e536c2e89d3a

SHA512
950daa0ff2917f37d71f84bcac7df96c856d0966338b563f480c92d59343938441be0ff93d8801a4dfdc5a4542b3f5b39a5ee9926e9be5b6a498f7e372da6f91

Download Submit
C:\Program Files (x86)\Bybhxv\userv0_p.exe
MD5
a17204c4cc765969839d22f78bc125bb

SHA1
7f29c80d2fbc4c4a73f65684fb689543e202d684

SHA256
109bfc4f1d73233b058db08b761ad7c77a7bc43bfe2b10a71614e536c2e89d3a

SHA512
950daa0ff2917f37d71f84bcac7df96c856d0966338b563f480c92d59343938441be0ff93d8801a4dfdc5a4542b3f5b39a5ee9926e9be5b6a498f7e372da6f91

Download Submit
C:\Program Files (x86)\Bybhxv\userv0_p.exe
MD5
a17204c4cc765969839d22f78bc125bb

SHA1
7f29c80d2fbc4c4a73f65684fb689543e202d684

SHA256
109bfc4f1d73233b058db08b761ad7c77a7bc43bfe2b10a71614e536c2e89d3a

SHA512
950daa0ff2917f37d71f84bcac7df96c856d0966338b563f480c92d59343938441be0ff93d8801a4dfdc5a4542b3f5b39a5ee9926e9be5b6a498f7e372da6f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
memory/636-156-0x0000000001380000-0x00000000016CA000-memory.dmp

Filesize
3.3MB

Download
memory/1000-136-0x0000000006000000-0x000000000609C000-memory.dmp

Filesize
624KB

Download
memory/1000-131-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1000-132-0x0000000005040000-0x00000000055E4000-memory.dmp

Filesize
5.6MB

Download
memory/1000-133-0x0000000004B90000-0x0000000004C22000-memory.dmp

Filesize
584KB

Download
memory/1000-130-0x0000000074FAE000-0x0000000074FAF000-memory.dmp

Filesize
4KB

Download
memory/1000-134-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/1000-135-0x0000000004C50000-0x0000000004C5A000-memory.dmp

Filesize
40KB

Download
memory/2444-147-0x0000000008A40000-0x0000000008B4E000-memory.dmp

Filesize
1.1MB

Download
memory/2444-142-0x00000000088E0000-0x0000000008A32000-memory.dmp

Filesize
1.3MB

Download
memory/2544-153-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/2544-152-0x0000000073DFE000-0x0000000073DFF000-memory.dmp

Filesize
4KB

Download
memory/3548-141-0x0000000001220000-0x0000000001231000-memory.dmp

Filesize
68KB

Download
memory/3548-139-0x0000000001700000-0x0000000001A4A000-memory.dmp

Filesize
3.3MB

Download
memory/3548-140-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/3548-137-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3752-146-0x00000000041B0000-0x0000000004240000-memory.dmp

Filesize
576KB

Download
memory/3752-145-0x0000000004480000-0x00000000047CA000-memory.dmp

Filesize
3.3MB

Download
memory/3752-144-0x00000000001D0000-0x00000000001F9000-memory.dmp

Filesize
164KB

Download
memory/3752-143-0x0000000000510000-0x0000000000526000-memory.dmp

Filesize
88KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads