xloader | 1190df73979f3dc768713f51fcf6e2eb439b95caf7c4a2b998c377ea5a35e9d5

General

Target

triage_dropped_file.exe
Size

308KB
MD5

e41def555743c430d0def4a513de4d96
SHA1

7c90a41062f1f867a1ae0bdeb1d37ca72cd2b95e
SHA256

1190df73979f3dc768713f51fcf6e2eb439b95caf7c4a2b998c377ea5a35e9d5
SHA512

331add20592a9cd8336bc902fe0f4934f6b50866904eb60f4cc3e6046c5edf8d29b5e901cc37f1619ffed9ae83201bbb93d165297ba41dda655b533870e722b6

Score

10^/10

xloader ahc8 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/952-62-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/952-65-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1640-76-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

31 1640 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

bifhcp.exebifhcp.exe

pid process

1752 bifhcp.exe
952 bifhcp.exe
Loads dropped DLL 2 IoCs

Processes:

triage_dropped_file.exebifhcp.exe

pid process

1500 triage_dropped_file.exe
1752 bifhcp.exe

flow	pid	process
31	1640	cmd.exe

pid	process
1752	bifhcp.exe
952	bifhcp.exe

pid	process
1500	triage_dropped_file.exe
1752	bifhcp.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

bifhcp.exebifhcp.execmd.exe

description	pid	process	target process
PID 1752 set thread context of 952	1752	bifhcp.exe	bifhcp.exe
PID 952 set thread context of 1392	952	bifhcp.exe	Explorer.EXE
PID 952 set thread context of 1392	952	bifhcp.exe	Explorer.EXE
PID 1640 set thread context of 1392	1640	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

bifhcp.execmd.exe

pid	process
952	bifhcp.exe
952	bifhcp.exe
952	bifhcp.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1392 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

bifhcp.execmd.exe

pid process

952 bifhcp.exe
952 bifhcp.exe
952 bifhcp.exe
952 bifhcp.exe
1640 cmd.exe
1640 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bifhcp.execmd.exe

description pid process

Token: SeDebugPrivilege 952 bifhcp.exe
Token: SeDebugPrivilege 1640 cmd.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1392 Explorer.EXE
1392 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1392 Explorer.EXE
1392 Explorer.EXE

pid	process
1392	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	952	bifhcp.exe
Token: SeDebugPrivilege	1640	cmd.exe

pid	process
1392	Explorer.EXE
1392	Explorer.EXE

pid	process
1392	Explorer.EXE
1392	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

triage_dropped_file.exebifhcp.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1500 wrote to memory of 1752	1500	triage_dropped_file.exe	bifhcp.exe
PID 1500 wrote to memory of 1752	1500	triage_dropped_file.exe	bifhcp.exe
PID 1500 wrote to memory of 1752	1500	triage_dropped_file.exe	bifhcp.exe
PID 1500 wrote to memory of 1752	1500	triage_dropped_file.exe	bifhcp.exe
PID 1752 wrote to memory of 952	1752	bifhcp.exe	bifhcp.exe
PID 1752 wrote to memory of 952	1752	bifhcp.exe	bifhcp.exe
PID 1752 wrote to memory of 952	1752	bifhcp.exe	bifhcp.exe
PID 1752 wrote to memory of 952	1752	bifhcp.exe	bifhcp.exe
PID 1752 wrote to memory of 952	1752	bifhcp.exe	bifhcp.exe
PID 1752 wrote to memory of 952	1752	bifhcp.exe	bifhcp.exe
PID 1752 wrote to memory of 952	1752	bifhcp.exe	bifhcp.exe
PID 1392 wrote to memory of 1640	1392	Explorer.EXE	cmd.exe
PID 1392 wrote to memory of 1640	1392	Explorer.EXE	cmd.exe
PID 1392 wrote to memory of 1640	1392	Explorer.EXE	cmd.exe
PID 1392 wrote to memory of 1640	1392	Explorer.EXE	cmd.exe
PID 1640 wrote to memory of 1036	1640	cmd.exe	cmd.exe
PID 1640 wrote to memory of 1036	1640	cmd.exe	cmd.exe
PID 1640 wrote to memory of 1036	1640	cmd.exe	cmd.exe
PID 1640 wrote to memory of 1036	1640	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe
"C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\bifhcp.exe
C:\Users\Admin\AppData\Local\Temp\bifhcp.exe C:\Users\Admin\AppData\Local\Temp\xvipmw
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\bifhcp.exe
C:\Users\Admin\AppData\Local\Temp\bifhcp.exe C:\Users\Admin\AppData\Local\Temp\xvipmw
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\bifhcp.exe"
3⤵
PID:1036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8uvc6tb2cw52
MD5
ad8694bf41f9cbbb4d8e671a3ce0612a

SHA1
60b8f572210e8112f04d165b515bd63a2eefaebc

SHA256
f12abecd7d300f5e0077a910f46adff553a2f3d5492cc076443345ea5c038239

SHA512
10c9214615a73582dda0c288d297eacbc9c655977a6a6f01b78f5d0c1c2d748a0cecaf5ce08a54de75baee760629de6c77b81d2647e6c7a22465d844142be478

Download Submit
C:\Users\Admin\AppData\Local\Temp\bifhcp.exe
MD5
40025a502304d446b8e53205991b96c1

SHA1
652b3f88b0521c3abd88290c5d69049e7486312c

SHA256
ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655

SHA512
042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bifhcp.exe
MD5
40025a502304d446b8e53205991b96c1

SHA1
652b3f88b0521c3abd88290c5d69049e7486312c

SHA256
ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655

SHA512
042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bifhcp.exe
MD5
40025a502304d446b8e53205991b96c1

SHA1
652b3f88b0521c3abd88290c5d69049e7486312c

SHA256
ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655

SHA512
042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvipmw
MD5
da749731ed6579052c657302b892b44b

SHA1
7da4156af0f1e9ef397e836e9f7a75e90bce1a07

SHA256
c39222c6207fd53f6836e1dd1726f4d2f3f76622208b8113ce23fcb22cb88470

SHA512
e05b3dbd36daabc99edccbee11e31b3cc645b04f41226e2fb1c5772342e47240383d63564955ef35fa5b530e4b404af041f89836ad4ebea8b5c3d65fa3687d92

Download Submit
\Users\Admin\AppData\Local\Temp\bifhcp.exe
MD5
40025a502304d446b8e53205991b96c1

SHA1
652b3f88b0521c3abd88290c5d69049e7486312c

SHA256
ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655

SHA512
042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2

Download Submit
\Users\Admin\AppData\Local\Temp\bifhcp.exe
MD5
40025a502304d446b8e53205991b96c1

SHA1
652b3f88b0521c3abd88290c5d69049e7486312c

SHA256
ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655

SHA512
042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2

Download Submit
memory/952-65-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/952-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/952-72-0x0000000000340000-0x0000000000351000-memory.dmp

Filesize
68KB

Download
memory/952-71-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/952-66-0x0000000000940000-0x0000000000C43000-memory.dmp

Filesize
3.0MB

Download
memory/952-67-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/952-68-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/1392-69-0x0000000003AB0000-0x0000000003B64000-memory.dmp

Filesize
720KB

Download
memory/1392-73-0x0000000006780000-0x0000000006895000-memory.dmp

Filesize
1.1MB

Download
memory/1392-78-0x0000000006A50000-0x0000000006B8F000-memory.dmp

Filesize
1.2MB

Download
memory/1500-54-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/1640-74-0x000000004A260000-0x000000004A2AC000-memory.dmp

Filesize
304KB

Download
memory/1640-75-0x0000000002060000-0x0000000002363000-memory.dmp

Filesize
3.0MB

Download
memory/1640-76-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1640-77-0x0000000001ED0000-0x0000000001F60000-memory.dmp

Filesize
576KB

Download
memory/1752-60-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads