xloader | b3babb49432b3d09adbf7e79dfb2fe84f4d417ad394ccd59412c9e083a42a673

General

Target

RECEIPT 0266255252.exe
Size

300KB
MD5

c7012ce63b4ed9e49bf7be48fc27beae
SHA1

8c91c8e2a90b9e9b3d3dde1fb32e02e5de5dd347
SHA256

b3babb49432b3d09adbf7e79dfb2fe84f4d417ad394ccd59412c9e083a42a673
SHA512

6ded1f1974ace78c102fc60e65cef89b664860edd87938af9efa1b4574de43667b614fbc19f49fae2d018180a2a706181982179193bba5c5ccac565758ee2e60

Score

10^/10

xloader rmfg loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

rmfg

Decoy

prospectcompounding.com

grand-prix.voyage

solvingpklogc.xyz

eliamhome.com

gamevip88.club

arsels.info

dswlt.com

dchehe.com

lawyerjerusalem.com

pbnseo.xyz

apuryifuid.com

kiukiupoker88.net

leannonimpact.com

kare-furniture.com

mississaugaremax.online

zpyh198.com

dueplay.store

naimi.ltd

greenstepspodiatry.com

cewirtanen.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/564-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/564-67-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1380-72-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

etesfm.exeetesfm.exe

pid process

1684 etesfm.exe
564 etesfm.exe
Loads dropped DLL 2 IoCs

Processes:

RECEIPT 0266255252.exeetesfm.exe

pid process

1668 RECEIPT 0266255252.exe
1684 etesfm.exe

pid	process
1684	etesfm.exe
564	etesfm.exe

pid	process
1668	RECEIPT 0266255252.exe
1684	etesfm.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

etesfm.exeetesfm.exehelp.exe

description	pid	process	target process
PID 1684 set thread context of 564	1684	etesfm.exe	etesfm.exe
PID 564 set thread context of 1372	564	etesfm.exe	Explorer.EXE
PID 1380 set thread context of 1372	1380	help.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

etesfm.exehelp.exe

pid	process
564	etesfm.exe
564	etesfm.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe
1380	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

etesfm.exehelp.exe

pid process

564 etesfm.exe
564 etesfm.exe
564 etesfm.exe
1380 help.exe
1380 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

etesfm.exehelp.exe

description pid process

Token: SeDebugPrivilege 564 etesfm.exe
Token: SeDebugPrivilege 1380 help.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
1372 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
1372 Explorer.EXE

pid	process
1372	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	564	etesfm.exe
Token: SeDebugPrivilege	1380	help.exe

pid	process
1372	Explorer.EXE
1372	Explorer.EXE

pid	process
1372	Explorer.EXE
1372	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

RECEIPT 0266255252.exeetesfm.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 1668 wrote to memory of 1684	1668	RECEIPT 0266255252.exe	etesfm.exe
PID 1668 wrote to memory of 1684	1668	RECEIPT 0266255252.exe	etesfm.exe
PID 1668 wrote to memory of 1684	1668	RECEIPT 0266255252.exe	etesfm.exe
PID 1668 wrote to memory of 1684	1668	RECEIPT 0266255252.exe	etesfm.exe
PID 1684 wrote to memory of 564	1684	etesfm.exe	etesfm.exe
PID 1684 wrote to memory of 564	1684	etesfm.exe	etesfm.exe
PID 1684 wrote to memory of 564	1684	etesfm.exe	etesfm.exe
PID 1684 wrote to memory of 564	1684	etesfm.exe	etesfm.exe
PID 1684 wrote to memory of 564	1684	etesfm.exe	etesfm.exe
PID 1684 wrote to memory of 564	1684	etesfm.exe	etesfm.exe
PID 1684 wrote to memory of 564	1684	etesfm.exe	etesfm.exe
PID 1372 wrote to memory of 1380	1372	Explorer.EXE	help.exe
PID 1372 wrote to memory of 1380	1372	Explorer.EXE	help.exe
PID 1372 wrote to memory of 1380	1372	Explorer.EXE	help.exe
PID 1372 wrote to memory of 1380	1372	Explorer.EXE	help.exe
PID 1380 wrote to memory of 1764	1380	help.exe	cmd.exe
PID 1380 wrote to memory of 1764	1380	help.exe	cmd.exe
PID 1380 wrote to memory of 1764	1380	help.exe	cmd.exe
PID 1380 wrote to memory of 1764	1380	help.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\RECEIPT 0266255252.exe
"C:\Users\Admin\AppData\Local\Temp\RECEIPT 0266255252.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\etesfm.exe
C:\Users\Admin\AppData\Local\Temp\etesfm.exe C:\Users\Admin\AppData\Local\Temp\vzyiso
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\etesfm.exe
C:\Users\Admin\AppData\Local\Temp\etesfm.exe C:\Users\Admin\AppData\Local\Temp\vzyiso
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\etesfm.exe"
3⤵
PID:1764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\etesfm.exe
MD5
12ba701928ac0c5894000dedc1213151

SHA1
eab2734cb14c0aedd4689b502c854869eb9e97d3

SHA256
31422622c217fe7978d0c5c8878a990a9288b80a796c4f3274e92ebf08005f4d

SHA512
1aca194f0f0905d470215745cd113b111345ba2330177cb59659db8d714dc2b65b780086f4586e6b908e2549bd079e7c5d20714ff35052fdcf6098c058aafb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\etesfm.exe
MD5
12ba701928ac0c5894000dedc1213151

SHA1
eab2734cb14c0aedd4689b502c854869eb9e97d3

SHA256
31422622c217fe7978d0c5c8878a990a9288b80a796c4f3274e92ebf08005f4d

SHA512
1aca194f0f0905d470215745cd113b111345ba2330177cb59659db8d714dc2b65b780086f4586e6b908e2549bd079e7c5d20714ff35052fdcf6098c058aafb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\etesfm.exe
MD5
12ba701928ac0c5894000dedc1213151

SHA1
eab2734cb14c0aedd4689b502c854869eb9e97d3

SHA256
31422622c217fe7978d0c5c8878a990a9288b80a796c4f3274e92ebf08005f4d

SHA512
1aca194f0f0905d470215745cd113b111345ba2330177cb59659db8d714dc2b65b780086f4586e6b908e2549bd079e7c5d20714ff35052fdcf6098c058aafb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hg1xt3velopl8
MD5
f940151ae73b4a19450f1214d210fbb8

SHA1
c45702b0676bc18a792c217f6b804fecf0487836

SHA256
6e0e27ead911c2ec1fb0c30cdbad40bea1d7e90bedb3d74e3cd6d7f6ff0f430a

SHA512
d1911faa1088dbdf19971580dab118cca1e4ce28ec061fb7f49c2e9cfaeb67e7fbc7abcac824f36b0724a95fd204fff24b2c892e9ef81ede8b8c80c60ecf5f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\vzyiso
MD5
ca93353f618e990d0c4ac5c3007abfdd

SHA1
4a52063da3beb1ddf89f8d91e5bc7fd9c80a2fa9

SHA256
c8a49296632cae0607c345427b99fc44dfa1d90e6524bbfa8249acfeafe386dd

SHA512
36fcf63cee72aa2525981281d64bfc641eb4564a48f9cebb4c120a36efb79522869f3890f89839d4e456b29d324bbed6db8d0d0e2dc3d7ac8d9ce5be5e0041db

Download Submit
\Users\Admin\AppData\Local\Temp\etesfm.exe
MD5
12ba701928ac0c5894000dedc1213151

SHA1
eab2734cb14c0aedd4689b502c854869eb9e97d3

SHA256
31422622c217fe7978d0c5c8878a990a9288b80a796c4f3274e92ebf08005f4d

SHA512
1aca194f0f0905d470215745cd113b111345ba2330177cb59659db8d714dc2b65b780086f4586e6b908e2549bd079e7c5d20714ff35052fdcf6098c058aafb5a

Download Submit
\Users\Admin\AppData\Local\Temp\etesfm.exe
MD5
12ba701928ac0c5894000dedc1213151

SHA1
eab2734cb14c0aedd4689b502c854869eb9e97d3

SHA256
31422622c217fe7978d0c5c8878a990a9288b80a796c4f3274e92ebf08005f4d

SHA512
1aca194f0f0905d470215745cd113b111345ba2330177cb59659db8d714dc2b65b780086f4586e6b908e2549bd079e7c5d20714ff35052fdcf6098c058aafb5a

Download Submit
memory/564-67-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/564-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/564-66-0x0000000000890000-0x0000000000B93000-memory.dmp

Filesize
3.0MB

Download
memory/564-68-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/564-69-0x0000000000340000-0x0000000000351000-memory.dmp

Filesize
68KB

Download
memory/1372-70-0x0000000005F00000-0x0000000006064000-memory.dmp

Filesize
1.4MB

Download
memory/1372-75-0x0000000006620000-0x00000000066E4000-memory.dmp

Filesize
784KB

Download
memory/1380-71-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/1380-72-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1380-73-0x00000000006F0000-0x00000000009F3000-memory.dmp

Filesize
3.0MB

Download
memory/1380-74-0x00000000004B0000-0x0000000000540000-memory.dmp

Filesize
576KB

Download
memory/1668-55-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads