xloader | 5310b41169311c55d3dbdd3bf129510349d4eccac82ebe11ab34be1a291f2916

General

Target

COMMANDE.exe
Size

300KB
MD5

15ed95eaed3d1031c2e7dcc9d129e0f0
SHA1

98148eb8665763ed2b1dafbe2050d4b638f5078f
SHA256

5310b41169311c55d3dbdd3bf129510349d4eccac82ebe11ab34be1a291f2916
SHA512

2bbc1be0e8a703071cc6859b83db4032f92ba234bf4e41b4a221eb29191a208564995b356b24de9727e0abf669a6f79986742be0321249a8d0041abcbd39b341

Score

10^/10

xloader cbgo loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cbgo

Decoy

santesha.com

britneysbeautybar.com

sh-cy17.com

jeffcarveragency.com

3117111.com

sobrehosting.net

ddm123.xyz

toxcompliance.com

auditorydesigns.com

vliftfacial.com

ielhii.com

naameliss.com

ritualchariot.com

solchange.com

quatre-vingts.design

lawnmowermashine.com

braceletsstore.net

admappy.com

tollivercoltd.com

vaidix.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1932-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1932-70-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/436-75-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

eudupag.exeeudupag.exe

pid process

1828 eudupag.exe
1932 eudupag.exe
Loads dropped DLL 3 IoCs

Processes:

COMMANDE.exeeudupag.exe

pid process

780 COMMANDE.exe
780 COMMANDE.exe
1828 eudupag.exe

pid	process
1828	eudupag.exe
1932	eudupag.exe

pid	process
780	COMMANDE.exe
780	COMMANDE.exe
1828	eudupag.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

eudupag.exeeudupag.execmmon32.exe

description	pid	process	target process
PID 1828 set thread context of 1932	1828	eudupag.exe	eudupag.exe
PID 1932 set thread context of 1348	1932	eudupag.exe	Explorer.EXE
PID 1932 set thread context of 1348	1932	eudupag.exe	Explorer.EXE
PID 436 set thread context of 1348	436	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

eudupag.execmmon32.exe

pid	process
1932	eudupag.exe
1932	eudupag.exe
1932	eudupag.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe
436	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1348 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

eudupag.execmmon32.exe

pid process

1932 eudupag.exe
1932 eudupag.exe
1932 eudupag.exe
1932 eudupag.exe
436 cmmon32.exe
436 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

eudupag.execmmon32.exe

description pid process

Token: SeDebugPrivilege 1932 eudupag.exe
Token: SeDebugPrivilege 436 cmmon32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1348 Explorer.EXE
1348 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1348 Explorer.EXE
1348 Explorer.EXE

pid	process
1348	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1932	eudupag.exe
Token: SeDebugPrivilege	436	cmmon32.exe

pid	process
1348	Explorer.EXE
1348	Explorer.EXE

pid	process
1348	Explorer.EXE
1348	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

COMMANDE.exeeudupag.exeeudupag.execmmon32.exe

description	pid	process	target process
PID 780 wrote to memory of 1828	780	COMMANDE.exe	eudupag.exe
PID 780 wrote to memory of 1828	780	COMMANDE.exe	eudupag.exe
PID 780 wrote to memory of 1828	780	COMMANDE.exe	eudupag.exe
PID 780 wrote to memory of 1828	780	COMMANDE.exe	eudupag.exe
PID 1828 wrote to memory of 1932	1828	eudupag.exe	eudupag.exe
PID 1828 wrote to memory of 1932	1828	eudupag.exe	eudupag.exe
PID 1828 wrote to memory of 1932	1828	eudupag.exe	eudupag.exe
PID 1828 wrote to memory of 1932	1828	eudupag.exe	eudupag.exe
PID 1828 wrote to memory of 1932	1828	eudupag.exe	eudupag.exe
PID 1828 wrote to memory of 1932	1828	eudupag.exe	eudupag.exe
PID 1828 wrote to memory of 1932	1828	eudupag.exe	eudupag.exe
PID 1932 wrote to memory of 436	1932	eudupag.exe	cmmon32.exe
PID 1932 wrote to memory of 436	1932	eudupag.exe	cmmon32.exe
PID 1932 wrote to memory of 436	1932	eudupag.exe	cmmon32.exe
PID 1932 wrote to memory of 436	1932	eudupag.exe	cmmon32.exe
PID 436 wrote to memory of 1072	436	cmmon32.exe	cmd.exe
PID 436 wrote to memory of 1072	436	cmmon32.exe	cmd.exe
PID 436 wrote to memory of 1072	436	cmmon32.exe	cmd.exe
PID 436 wrote to memory of 1072	436	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1348

C:\Users\Admin\AppData\Local\Temp\COMMANDE.exe
"C:\Users\Admin\AppData\Local\Temp\COMMANDE.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:780

C:\Users\Admin\AppData\Local\Temp\eudupag.exe
C:\Users\Admin\AppData\Local\Temp\eudupag.exe C:\Users\Admin\AppData\Local\Temp\nhddajnigp
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\eudupag.exe
C:\Users\Admin\AppData\Local\Temp\eudupag.exe C:\Users\Admin\AppData\Local\Temp\nhddajnigp
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\eudupag.exe"
6⤵
PID:1072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eudupag.exe
MD5
b0864289f09d4f400ff18bccd2fe858e

SHA1
345ac756ae1b5b3230c5032e96bb4976787fc447

SHA256
0bebe910efbed34fe37976921cdece0364c0548ea2938404d3c66287b1b37667

SHA512
32475f1a02bafbe4e0860713d399a22a45fb5137ce8f3a5cb615e54faec87e69a5b4edf006cc9c9aa9edc6d6af3e6ed62e1d733f06bd63867703a3091ed77223

Download Submit
C:\Users\Admin\AppData\Local\Temp\eudupag.exe
MD5
b0864289f09d4f400ff18bccd2fe858e

SHA1
345ac756ae1b5b3230c5032e96bb4976787fc447

SHA256
0bebe910efbed34fe37976921cdece0364c0548ea2938404d3c66287b1b37667

SHA512
32475f1a02bafbe4e0860713d399a22a45fb5137ce8f3a5cb615e54faec87e69a5b4edf006cc9c9aa9edc6d6af3e6ed62e1d733f06bd63867703a3091ed77223

Download Submit
C:\Users\Admin\AppData\Local\Temp\eudupag.exe
MD5
b0864289f09d4f400ff18bccd2fe858e

SHA1
345ac756ae1b5b3230c5032e96bb4976787fc447

SHA256
0bebe910efbed34fe37976921cdece0364c0548ea2938404d3c66287b1b37667

SHA512
32475f1a02bafbe4e0860713d399a22a45fb5137ce8f3a5cb615e54faec87e69a5b4edf006cc9c9aa9edc6d6af3e6ed62e1d733f06bd63867703a3091ed77223

Download Submit
C:\Users\Admin\AppData\Local\Temp\i0bvw9ieywzl0xhhqo1y
MD5
4dcb394819e0edf751119d26b4ff65c8

SHA1
0af4583869297dacf26ddbea8b6598c2d0384386

SHA256
d3dfcdbea4f79f747a95a4353b10e9bbeafe9069915f27e41e4444b8433331a0

SHA512
3a0f9ddd9a8f038d1297c94c7f173391b49d00e67d9893e5f33d4504d93575905af55d329a4d7c5febd5a4000cc530d56a6daa044a672c30162c8bc4106480f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nhddajnigp
MD5
e42f7db839c8b5d49522864853556254

SHA1
0540d291746f405aeb5801fb333e697c8100fe98

SHA256
4f3524205dc82fc76c546010af8c492fdad5dfd49a91cfdb427019a96fa7b20f

SHA512
a95ca20eee536da0dc4ad83b86e5549b4c126b73ae91759a6e93350088d684ec968deb9843c2612aad3c25fc668ec279eef94271a829e4409222a9c08e7bb803

Download Submit
\Users\Admin\AppData\Local\Temp\eudupag.exe
MD5
b0864289f09d4f400ff18bccd2fe858e

SHA1
345ac756ae1b5b3230c5032e96bb4976787fc447

SHA256
0bebe910efbed34fe37976921cdece0364c0548ea2938404d3c66287b1b37667

SHA512
32475f1a02bafbe4e0860713d399a22a45fb5137ce8f3a5cb615e54faec87e69a5b4edf006cc9c9aa9edc6d6af3e6ed62e1d733f06bd63867703a3091ed77223

Download Submit
\Users\Admin\AppData\Local\Temp\eudupag.exe
MD5
b0864289f09d4f400ff18bccd2fe858e

SHA1
345ac756ae1b5b3230c5032e96bb4976787fc447

SHA256
0bebe910efbed34fe37976921cdece0364c0548ea2938404d3c66287b1b37667

SHA512
32475f1a02bafbe4e0860713d399a22a45fb5137ce8f3a5cb615e54faec87e69a5b4edf006cc9c9aa9edc6d6af3e6ed62e1d733f06bd63867703a3091ed77223

Download Submit
\Users\Admin\AppData\Local\Temp\eudupag.exe
MD5
b0864289f09d4f400ff18bccd2fe858e

SHA1
345ac756ae1b5b3230c5032e96bb4976787fc447

SHA256
0bebe910efbed34fe37976921cdece0364c0548ea2938404d3c66287b1b37667

SHA512
32475f1a02bafbe4e0860713d399a22a45fb5137ce8f3a5cb615e54faec87e69a5b4edf006cc9c9aa9edc6d6af3e6ed62e1d733f06bd63867703a3091ed77223

Download Submit
memory/436-76-0x0000000001EB0000-0x00000000021B3000-memory.dmp

Filesize
3.0MB

Download
memory/436-77-0x0000000000960000-0x00000000009F0000-memory.dmp

Filesize
576KB

Download
memory/436-75-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/436-74-0x0000000000AA0000-0x0000000000AAD000-memory.dmp

Filesize
52KB

Download
memory/780-54-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/1348-78-0x00000000066E0000-0x00000000067A8000-memory.dmp

Filesize
800KB

Download
memory/1348-73-0x0000000007390000-0x00000000074CC000-memory.dmp

Filesize
1.2MB

Download
memory/1348-69-0x0000000006AF0000-0x0000000006C42000-memory.dmp

Filesize
1.3MB

Download
memory/1932-66-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download
memory/1932-71-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/1932-72-0x0000000000250000-0x0000000000261000-memory.dmp

Filesize
68KB

Download
memory/1932-70-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1932-68-0x0000000000210000-0x0000000000221000-memory.dmp

Filesize
68KB

Download
memory/1932-67-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/1932-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads