xloader | a65fa640ac023cb2207b4707ca53b54ac80fab579b1ab598637850a003b4f2e4

General

Target

comprovante de pagamento.exe
Size

339KB
MD5

cfddc31fa56b6e1a80f29386769bd19e
SHA1

78b41e3c049f5dca11aa3c9679f757461cabea7d
SHA256

a65fa640ac023cb2207b4707ca53b54ac80fab579b1ab598637850a003b4f2e4
SHA512

7b4273d4d8cfd5cbe9234dd459c50f56b34978535c9e7480afce28396623da3586dcf7e6011496881774c6ebc4382a61293b230216bfb252385c3b6e290b55cd

Score

10^/10

xloader cbgo loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cbgo

Decoy

santesha.com

britneysbeautybar.com

sh-cy17.com

jeffcarveragency.com

3117111.com

sobrehosting.net

ddm123.xyz

toxcompliance.com

auditorydesigns.com

vliftfacial.com

ielhii.com

naameliss.com

ritualchariot.com

solchange.com

quatre-vingts.design

lawnmowermashine.com

braceletsstore.net

admappy.com

tollivercoltd.com

vaidix.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/524-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/364-71-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

kefkdcbcrz.exekefkdcbcrz.exe

pid process

1936 kefkdcbcrz.exe
524 kefkdcbcrz.exe
Loads dropped DLL 2 IoCs

Processes:

comprovante de pagamento.exekefkdcbcrz.exe

pid process

1932 comprovante de pagamento.exe
1936 kefkdcbcrz.exe

pid	process
1936	kefkdcbcrz.exe
524	kefkdcbcrz.exe

pid	process
1932	comprovante de pagamento.exe
1936	kefkdcbcrz.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

kefkdcbcrz.exekefkdcbcrz.exewininit.exe

description	pid	process	target process
PID 1936 set thread context of 524	1936	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 524 set thread context of 1356	524	kefkdcbcrz.exe	Explorer.EXE
PID 364 set thread context of 1356	364	wininit.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

kefkdcbcrz.exewininit.exe

pid	process
524	kefkdcbcrz.exe
524	kefkdcbcrz.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe
364	wininit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1356 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

kefkdcbcrz.exewininit.exe

pid process

524 kefkdcbcrz.exe
524 kefkdcbcrz.exe
524 kefkdcbcrz.exe
364 wininit.exe
364 wininit.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

kefkdcbcrz.exewininit.exe

description pid process

Token: SeDebugPrivilege 524 kefkdcbcrz.exe
Token: SeDebugPrivilege 364 wininit.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1356 Explorer.EXE
1356 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1356 Explorer.EXE
1356 Explorer.EXE

pid	process
1356	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	524	kefkdcbcrz.exe
Token: SeDebugPrivilege	364	wininit.exe

pid	process
1356	Explorer.EXE
1356	Explorer.EXE

pid	process
1356	Explorer.EXE
1356	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

comprovante de pagamento.exekefkdcbcrz.exeExplorer.EXEwininit.exe

description	pid	process	target process
PID 1932 wrote to memory of 1936	1932	comprovante de pagamento.exe	kefkdcbcrz.exe
PID 1932 wrote to memory of 1936	1932	comprovante de pagamento.exe	kefkdcbcrz.exe
PID 1932 wrote to memory of 1936	1932	comprovante de pagamento.exe	kefkdcbcrz.exe
PID 1932 wrote to memory of 1936	1932	comprovante de pagamento.exe	kefkdcbcrz.exe
PID 1936 wrote to memory of 524	1936	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 1936 wrote to memory of 524	1936	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 1936 wrote to memory of 524	1936	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 1936 wrote to memory of 524	1936	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 1936 wrote to memory of 524	1936	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 1936 wrote to memory of 524	1936	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 1936 wrote to memory of 524	1936	kefkdcbcrz.exe	kefkdcbcrz.exe
PID 1356 wrote to memory of 364	1356	Explorer.EXE	wininit.exe
PID 1356 wrote to memory of 364	1356	Explorer.EXE	wininit.exe
PID 1356 wrote to memory of 364	1356	Explorer.EXE	wininit.exe
PID 1356 wrote to memory of 364	1356	Explorer.EXE	wininit.exe
PID 364 wrote to memory of 856	364	wininit.exe	cmd.exe
PID 364 wrote to memory of 856	364	wininit.exe	cmd.exe
PID 364 wrote to memory of 856	364	wininit.exe	cmd.exe
PID 364 wrote to memory of 856	364	wininit.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\comprovante de pagamento.exe
"C:\Users\Admin\AppData\Local\Temp\comprovante de pagamento.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe
C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe C:\Users\Admin\AppData\Local\Temp\xsytq
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe
C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe C:\Users\Admin\AppData\Local\Temp\xsytq
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe"
3⤵
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bs5210ina7o23q4wlv
MD5
635788a319cc804f7eee6cc85484994d

SHA1
ec66c3089a7ef4905248ea91d5fd5406e081deb0

SHA256
cbfa82c018690de266af6d720c9916dd8236d5f12d65c31fb7bf5c95b4e0a43c

SHA512
f8fb2daeedb1a92b0e206009155f29cde504de7cba69935d47ee63c96fe2734c93becf199adcca6da53357824024ed9636696b08bf9669a4024b2fb5bd8f17ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe
MD5
22c779f0c5c8e47aea06b03bdd12ef77

SHA1
14b36e7d3841575db9fceb8a635082cf3447ce25

SHA256
1a7a06bea18bf2f36247341bc182cc1aecb1a9be28accb4d559e3e667957d0d3

SHA512
10b2be6b4ca0b87ad0f2f31aace7aaac7340b7ab83dd9770f5f3e7fe3e1b9b62194e5721aeea3971d502b374d664fdbe9555540205be80aa7c197cbf146a3c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe
MD5
22c779f0c5c8e47aea06b03bdd12ef77

SHA1
14b36e7d3841575db9fceb8a635082cf3447ce25

SHA256
1a7a06bea18bf2f36247341bc182cc1aecb1a9be28accb4d559e3e667957d0d3

SHA512
10b2be6b4ca0b87ad0f2f31aace7aaac7340b7ab83dd9770f5f3e7fe3e1b9b62194e5721aeea3971d502b374d664fdbe9555540205be80aa7c197cbf146a3c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe
MD5
22c779f0c5c8e47aea06b03bdd12ef77

SHA1
14b36e7d3841575db9fceb8a635082cf3447ce25

SHA256
1a7a06bea18bf2f36247341bc182cc1aecb1a9be28accb4d559e3e667957d0d3

SHA512
10b2be6b4ca0b87ad0f2f31aace7aaac7340b7ab83dd9770f5f3e7fe3e1b9b62194e5721aeea3971d502b374d664fdbe9555540205be80aa7c197cbf146a3c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsytq
MD5
b56fe160e90745d86c9ee74fd026e134

SHA1
2231d8dc79fa27334de455ed5fe3d081490bbc77

SHA256
cf9939352d9884929da9a22c416be384d658efdb818b1da7b257875e7c894a98

SHA512
497604bf3a074f5affa3c52afd69f69db0b44fe1e6d5752a036c4c95ad7e869954f6d69201d54af087bf4583e71e40414260a70ca7db75832d8ae7b75312529e

Download Submit
\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe
MD5
22c779f0c5c8e47aea06b03bdd12ef77

SHA1
14b36e7d3841575db9fceb8a635082cf3447ce25

SHA256
1a7a06bea18bf2f36247341bc182cc1aecb1a9be28accb4d559e3e667957d0d3

SHA512
10b2be6b4ca0b87ad0f2f31aace7aaac7340b7ab83dd9770f5f3e7fe3e1b9b62194e5721aeea3971d502b374d664fdbe9555540205be80aa7c197cbf146a3c74

Download Submit
\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe
MD5
22c779f0c5c8e47aea06b03bdd12ef77

SHA1
14b36e7d3841575db9fceb8a635082cf3447ce25

SHA256
1a7a06bea18bf2f36247341bc182cc1aecb1a9be28accb4d559e3e667957d0d3

SHA512
10b2be6b4ca0b87ad0f2f31aace7aaac7340b7ab83dd9770f5f3e7fe3e1b9b62194e5721aeea3971d502b374d664fdbe9555540205be80aa7c197cbf146a3c74

Download Submit
memory/364-70-0x0000000000F70000-0x0000000000F8A000-memory.dmp

Filesize
104KB

Download
memory/364-73-0x00000000008D0000-0x0000000000960000-memory.dmp

Filesize
576KB

Download
memory/364-72-0x0000000000B00000-0x0000000000E03000-memory.dmp

Filesize
3.0MB

Download
memory/364-71-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/524-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/524-66-0x0000000000860000-0x0000000000B63000-memory.dmp

Filesize
3.0MB

Download
memory/524-68-0x00000000001A0000-0x00000000001B1000-memory.dmp

Filesize
68KB

Download
memory/524-67-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/1356-69-0x0000000005010000-0x0000000005121000-memory.dmp

Filesize
1.1MB

Download
memory/1356-74-0x0000000006A90000-0x0000000006B9F000-memory.dmp

Filesize
1.1MB

Download
memory/1932-55-0x0000000076511000-0x0000000076513000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads