xloader | a65fa640ac023cb2207b4707ca53b54ac80fab579b1ab598637850a003b4f2e4

General

Target

comprovante de pagamento.exe
Size

339KB
MD5

cfddc31fa56b6e1a80f29386769bd19e
SHA1

78b41e3c049f5dca11aa3c9679f757461cabea7d
SHA256

a65fa640ac023cb2207b4707ca53b54ac80fab579b1ab598637850a003b4f2e4
SHA512

7b4273d4d8cfd5cbe9234dd459c50f56b34978535c9e7480afce28396623da3586dcf7e6011496881774c6ebc4382a61293b230216bfb252385c3b6e290b55cd

Score

10^/10

xloader cbgo loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cbgo

Decoy

santesha.com

britneysbeautybar.com

sh-cy17.com

jeffcarveragency.com

3117111.com

sobrehosting.net

ddm123.xyz

toxcompliance.com

auditorydesigns.com

vliftfacial.com

ielhii.com

naameliss.com

ritualchariot.com

solchange.com

quatre-vingts.design

lawnmowermashine.com

braceletsstore.net

admappy.com

tollivercoltd.com

vaidix.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/560-62-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/560-69-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1540-74-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

kefkdcbcrz.exekefkdcbcrz.exe

pid process

564 kefkdcbcrz.exe
560 kefkdcbcrz.exe
Loads dropped DLL 2 IoCs

Processes:

comprovante de pagamento.exekefkdcbcrz.exe

pid process

1252 comprovante de pagamento.exe
564 kefkdcbcrz.exe

pid	process
564	kefkdcbcrz.exe
560	kefkdcbcrz.exe

pid	process
1252	comprovante de pagamento.exe
564	kefkdcbcrz.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

kefkdcbcrz.exekefkdcbcrz.exewininit.exe

description	pid	process	target process
PID 564 set thread context of 560	564	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 560 set thread context of 1196	560	kefkdcbcrz.exe	Explorer.EXE
PID 560 set thread context of 1196	560	kefkdcbcrz.exe	Explorer.EXE
PID 1540 set thread context of 1196	1540	wininit.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

kefkdcbcrz.exewininit.exe

pid	process
560	kefkdcbcrz.exe
560	kefkdcbcrz.exe
560	kefkdcbcrz.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe
1540	wininit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1196 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

kefkdcbcrz.exewininit.exe

pid process

560 kefkdcbcrz.exe
560 kefkdcbcrz.exe
560 kefkdcbcrz.exe
560 kefkdcbcrz.exe
1540 wininit.exe
1540 wininit.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

kefkdcbcrz.exewininit.exe

description pid process

Token: SeDebugPrivilege 560 kefkdcbcrz.exe
Token: SeDebugPrivilege 1540 wininit.exe

pid	process
1196	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	560	kefkdcbcrz.exe
Token: SeDebugPrivilege	1540	wininit.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

comprovante de pagamento.exekefkdcbcrz.exekefkdcbcrz.exewininit.exe

description	pid	process	target process
PID 1252 wrote to memory of 564	1252	comprovante de pagamento.exe	kefkdcbcrz.exe
PID 1252 wrote to memory of 564	1252	comprovante de pagamento.exe	kefkdcbcrz.exe
PID 1252 wrote to memory of 564	1252	comprovante de pagamento.exe	kefkdcbcrz.exe
PID 1252 wrote to memory of 564	1252	comprovante de pagamento.exe	kefkdcbcrz.exe
PID 564 wrote to memory of 560	564	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 564 wrote to memory of 560	564	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 564 wrote to memory of 560	564	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 564 wrote to memory of 560	564	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 564 wrote to memory of 560	564	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 564 wrote to memory of 560	564	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 564 wrote to memory of 560	564	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 560 wrote to memory of 1540	560	kefkdcbcrz.exe	wininit.exe
PID 560 wrote to memory of 1540	560	kefkdcbcrz.exe	wininit.exe
PID 560 wrote to memory of 1540	560	kefkdcbcrz.exe	wininit.exe
PID 560 wrote to memory of 1540	560	kefkdcbcrz.exe	wininit.exe
PID 1540 wrote to memory of 596	1540	wininit.exe	cmd.exe
PID 1540 wrote to memory of 596	1540	wininit.exe	cmd.exe
PID 1540 wrote to memory of 596	1540	wininit.exe	cmd.exe
PID 1540 wrote to memory of 596	1540	wininit.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1196

C:\Users\Admin\AppData\Local\Temp\comprovante de pagamento.exe
"C:\Users\Admin\AppData\Local\Temp\comprovante de pagamento.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe
C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe C:\Users\Admin\AppData\Local\Temp\xsytq
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:564

C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe
C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe C:\Users\Admin\AppData\Local\Temp\xsytq
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe"
6⤵
PID:596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bs5210ina7o23q4wlv
MD5
635788a319cc804f7eee6cc85484994d

SHA1
ec66c3089a7ef4905248ea91d5fd5406e081deb0

SHA256
cbfa82c018690de266af6d720c9916dd8236d5f12d65c31fb7bf5c95b4e0a43c

SHA512
f8fb2daeedb1a92b0e206009155f29cde504de7cba69935d47ee63c96fe2734c93becf199adcca6da53357824024ed9636696b08bf9669a4024b2fb5bd8f17ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe
MD5
22c779f0c5c8e47aea06b03bdd12ef77

SHA1
14b36e7d3841575db9fceb8a635082cf3447ce25

SHA256
1a7a06bea18bf2f36247341bc182cc1aecb1a9be28accb4d559e3e667957d0d3

SHA512
10b2be6b4ca0b87ad0f2f31aace7aaac7340b7ab83dd9770f5f3e7fe3e1b9b62194e5721aeea3971d502b374d664fdbe9555540205be80aa7c197cbf146a3c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe
MD5
22c779f0c5c8e47aea06b03bdd12ef77

SHA1
14b36e7d3841575db9fceb8a635082cf3447ce25

SHA256
1a7a06bea18bf2f36247341bc182cc1aecb1a9be28accb4d559e3e667957d0d3

SHA512
10b2be6b4ca0b87ad0f2f31aace7aaac7340b7ab83dd9770f5f3e7fe3e1b9b62194e5721aeea3971d502b374d664fdbe9555540205be80aa7c197cbf146a3c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe
MD5
22c779f0c5c8e47aea06b03bdd12ef77

SHA1
14b36e7d3841575db9fceb8a635082cf3447ce25

SHA256
1a7a06bea18bf2f36247341bc182cc1aecb1a9be28accb4d559e3e667957d0d3

SHA512
10b2be6b4ca0b87ad0f2f31aace7aaac7340b7ab83dd9770f5f3e7fe3e1b9b62194e5721aeea3971d502b374d664fdbe9555540205be80aa7c197cbf146a3c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsytq
MD5
b56fe160e90745d86c9ee74fd026e134

SHA1
2231d8dc79fa27334de455ed5fe3d081490bbc77

SHA256
cf9939352d9884929da9a22c416be384d658efdb818b1da7b257875e7c894a98

SHA512
497604bf3a074f5affa3c52afd69f69db0b44fe1e6d5752a036c4c95ad7e869954f6d69201d54af087bf4583e71e40414260a70ca7db75832d8ae7b75312529e

Download Submit
\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe
MD5
22c779f0c5c8e47aea06b03bdd12ef77

SHA1
14b36e7d3841575db9fceb8a635082cf3447ce25

SHA256
1a7a06bea18bf2f36247341bc182cc1aecb1a9be28accb4d559e3e667957d0d3

SHA512
10b2be6b4ca0b87ad0f2f31aace7aaac7340b7ab83dd9770f5f3e7fe3e1b9b62194e5721aeea3971d502b374d664fdbe9555540205be80aa7c197cbf146a3c74

Download Submit
\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe
MD5
22c779f0c5c8e47aea06b03bdd12ef77

SHA1
14b36e7d3841575db9fceb8a635082cf3447ce25

SHA256
1a7a06bea18bf2f36247341bc182cc1aecb1a9be28accb4d559e3e667957d0d3

SHA512
10b2be6b4ca0b87ad0f2f31aace7aaac7340b7ab83dd9770f5f3e7fe3e1b9b62194e5721aeea3971d502b374d664fdbe9555540205be80aa7c197cbf146a3c74

Download Submit
memory/560-66-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/560-71-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/560-65-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/560-70-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/560-67-0x0000000000200000-0x0000000000211000-memory.dmp

Filesize
68KB

Download
memory/560-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/560-69-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1196-68-0x0000000004AE0000-0x0000000004BA4000-memory.dmp

Filesize
784KB

Download
memory/1196-72-0x0000000004D70000-0x0000000004E1F000-memory.dmp

Filesize
700KB

Download
memory/1196-77-0x00000000065E0000-0x0000000006734000-memory.dmp

Filesize
1.3MB

Download
memory/1252-54-0x00000000762A1000-0x00000000762A3000-memory.dmp

Filesize
8KB

Download
memory/1540-73-0x0000000000680000-0x000000000069A000-memory.dmp

Filesize
104KB

Download
memory/1540-74-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1540-75-0x0000000001F00000-0x0000000002203000-memory.dmp

Filesize
3.0MB

Download
memory/1540-76-0x0000000001D30000-0x0000000001DC0000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads