xloader | 92ab8821f6c4eedc8bec6abee96520514061e32b772831dc3ecb8e71f8f7bcb3

General

Target

Demande de prix.exe
Size

333KB
MD5

72c876e6f764bb1928d1f62c909b7c67
SHA1

2b75b06f02c650a06ed9ba9db90f3e7348d0b8be
SHA256

92ab8821f6c4eedc8bec6abee96520514061e32b772831dc3ecb8e71f8f7bcb3
SHA512

3e4a8b38bf5de65deca31259338fa3e2e4287b3f3ec7558e7ea7da59835289c5d286ab9e1a74bec4399b287a94908e58f5d62700ca056fa6702e6af824958b59

Score

10^/10

xloader cbgo loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cbgo

Decoy

santesha.com

britneysbeautybar.com

sh-cy17.com

jeffcarveragency.com

3117111.com

sobrehosting.net

ddm123.xyz

toxcompliance.com

auditorydesigns.com

vliftfacial.com

ielhii.com

naameliss.com

ritualchariot.com

solchange.com

quatre-vingts.design

lawnmowermashine.com

braceletsstore.net

admappy.com

tollivercoltd.com

vaidix.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/956-61-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/956-65-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1384-75-0x0000000000120000-0x0000000000149000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

dsaxa.exedsaxa.exe

pid process

1652 dsaxa.exe
956 dsaxa.exe
Loads dropped DLL 2 IoCs

Processes:

Demande de prix.exedsaxa.exe

pid process

1556 Demande de prix.exe
1652 dsaxa.exe

pid	process
1652	dsaxa.exe
956	dsaxa.exe

pid	process
1556	Demande de prix.exe
1652	dsaxa.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

dsaxa.exedsaxa.exeraserver.exe

description	pid	process	target process
PID 1652 set thread context of 956	1652	dsaxa.exe	dsaxa.exe
PID 956 set thread context of 1352	956	dsaxa.exe	Explorer.EXE
PID 956 set thread context of 1352	956	dsaxa.exe	Explorer.EXE
PID 1384 set thread context of 1352	1384	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

dsaxa.exeraserver.exe

pid	process
956	dsaxa.exe
956	dsaxa.exe
956	dsaxa.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe
1384	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1352 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

dsaxa.exeraserver.exe

pid process

956 dsaxa.exe
956 dsaxa.exe
956 dsaxa.exe
956 dsaxa.exe
1384 raserver.exe
1384 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dsaxa.exeraserver.exe

description pid process

Token: SeDebugPrivilege 956 dsaxa.exe
Token: SeDebugPrivilege 1384 raserver.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1352 Explorer.EXE
1352 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1352 Explorer.EXE
1352 Explorer.EXE

pid	process
1352	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	956	dsaxa.exe
Token: SeDebugPrivilege	1384	raserver.exe

pid	process
1352	Explorer.EXE
1352	Explorer.EXE

pid	process
1352	Explorer.EXE
1352	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Demande de prix.exedsaxa.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 1556 wrote to memory of 1652	1556	Demande de prix.exe	dsaxa.exe
PID 1556 wrote to memory of 1652	1556	Demande de prix.exe	dsaxa.exe
PID 1556 wrote to memory of 1652	1556	Demande de prix.exe	dsaxa.exe
PID 1556 wrote to memory of 1652	1556	Demande de prix.exe	dsaxa.exe
PID 1652 wrote to memory of 956	1652	dsaxa.exe	dsaxa.exe
PID 1652 wrote to memory of 956	1652	dsaxa.exe	dsaxa.exe
PID 1652 wrote to memory of 956	1652	dsaxa.exe	dsaxa.exe
PID 1652 wrote to memory of 956	1652	dsaxa.exe	dsaxa.exe
PID 1652 wrote to memory of 956	1652	dsaxa.exe	dsaxa.exe
PID 1652 wrote to memory of 956	1652	dsaxa.exe	dsaxa.exe
PID 1652 wrote to memory of 956	1652	dsaxa.exe	dsaxa.exe
PID 1352 wrote to memory of 1384	1352	Explorer.EXE	raserver.exe
PID 1352 wrote to memory of 1384	1352	Explorer.EXE	raserver.exe
PID 1352 wrote to memory of 1384	1352	Explorer.EXE	raserver.exe
PID 1352 wrote to memory of 1384	1352	Explorer.EXE	raserver.exe
PID 1384 wrote to memory of 1956	1384	raserver.exe	cmd.exe
PID 1384 wrote to memory of 1956	1384	raserver.exe	cmd.exe
PID 1384 wrote to memory of 1956	1384	raserver.exe	cmd.exe
PID 1384 wrote to memory of 1956	1384	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\Demande de prix.exe
"C:\Users\Admin\AppData\Local\Temp\Demande de prix.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\Temp\dsaxa.exe
C:\Users\Admin\AppData\Local\Temp\dsaxa.exe C:\Users\Admin\AppData\Local\Temp\txhqogil
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\dsaxa.exe
C:\Users\Admin\AppData\Local\Temp\dsaxa.exe C:\Users\Admin\AppData\Local\Temp\txhqogil
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1380

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\dsaxa.exe"
3⤵
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dsaxa.exe
MD5
78f766ad7d7e23faecf6384147dcfae9

SHA1
07894888023bd1e068e45641c7b12fa4a1cc9376

SHA256
a3976abc44f16aa53b33e27ec429889a09e7200ed15b29966dc29990fdf1f74b

SHA512
788cadacfff3ba1290a3c34f038820b6e9163a1a0f5a9dc7ae6bbbdf02dc76051aa3d12a3007f36483eba2af4c90da2a7ef2a7b188bbed22e0431e0784fd29e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsaxa.exe
MD5
78f766ad7d7e23faecf6384147dcfae9

SHA1
07894888023bd1e068e45641c7b12fa4a1cc9376

SHA256
a3976abc44f16aa53b33e27ec429889a09e7200ed15b29966dc29990fdf1f74b

SHA512
788cadacfff3ba1290a3c34f038820b6e9163a1a0f5a9dc7ae6bbbdf02dc76051aa3d12a3007f36483eba2af4c90da2a7ef2a7b188bbed22e0431e0784fd29e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsaxa.exe
MD5
78f766ad7d7e23faecf6384147dcfae9

SHA1
07894888023bd1e068e45641c7b12fa4a1cc9376

SHA256
a3976abc44f16aa53b33e27ec429889a09e7200ed15b29966dc29990fdf1f74b

SHA512
788cadacfff3ba1290a3c34f038820b6e9163a1a0f5a9dc7ae6bbbdf02dc76051aa3d12a3007f36483eba2af4c90da2a7ef2a7b188bbed22e0431e0784fd29e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2dtluw9kxt
MD5
ca3b8fc9e538982f07ed1f80e567fa38

SHA1
f682686846ca013708621f7a018305efbb221269

SHA256
0bfaaf2fbcb9678a6cef0ff2e633d0df158e3739595ea8d7f2b2ebb0f48f4565

SHA512
d59408f31fec70a481b88046ecdf89abadece69b129f1dd0d6d7f05c8cf3fbd5ae13d161e482a9ddce44815d445e2ea44a5efb58c134e51bb5a76f454cea0ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\txhqogil
MD5
728e31cf245db7ed3c805595387f8906

SHA1
655133d8295a0f090fd8bf3841c5688fb32d0858

SHA256
966ddea35f8e384affe2ebcd373221a10454af54d1806f451259893abe416065

SHA512
7a15637736432ab615f1893475f3e89ee3fbf8991bb5e5df8c36f401439788f2daf56705d0c67308cb27156af2dfb7a54744ec25ee97adeb948fa80de6ecf5cb

Download Submit
\Users\Admin\AppData\Local\Temp\dsaxa.exe
MD5
78f766ad7d7e23faecf6384147dcfae9

SHA1
07894888023bd1e068e45641c7b12fa4a1cc9376

SHA256
a3976abc44f16aa53b33e27ec429889a09e7200ed15b29966dc29990fdf1f74b

SHA512
788cadacfff3ba1290a3c34f038820b6e9163a1a0f5a9dc7ae6bbbdf02dc76051aa3d12a3007f36483eba2af4c90da2a7ef2a7b188bbed22e0431e0784fd29e1

Download Submit
\Users\Admin\AppData\Local\Temp\dsaxa.exe
MD5
78f766ad7d7e23faecf6384147dcfae9

SHA1
07894888023bd1e068e45641c7b12fa4a1cc9376

SHA256
a3976abc44f16aa53b33e27ec429889a09e7200ed15b29966dc29990fdf1f74b

SHA512
788cadacfff3ba1290a3c34f038820b6e9163a1a0f5a9dc7ae6bbbdf02dc76051aa3d12a3007f36483eba2af4c90da2a7ef2a7b188bbed22e0431e0784fd29e1

Download Submit
memory/956-65-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/956-71-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/956-64-0x0000000000920000-0x0000000000C23000-memory.dmp

Filesize
3.0MB

Download
memory/956-70-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/956-67-0x00000000000E0000-0x00000000000F1000-memory.dmp

Filesize
68KB

Download
memory/956-66-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/956-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1352-68-0x0000000006620000-0x0000000006745000-memory.dmp

Filesize
1.1MB

Download
memory/1352-72-0x00000000070D0000-0x0000000007269000-memory.dmp

Filesize
1.6MB

Download
memory/1352-78-0x00000000046F0000-0x00000000047EE000-memory.dmp

Filesize
1016KB

Download
memory/1384-75-0x0000000000120000-0x0000000000149000-memory.dmp

Filesize
164KB

Download
memory/1384-74-0x0000000000910000-0x000000000092C000-memory.dmp

Filesize
112KB

Download
memory/1384-76-0x0000000002000000-0x0000000002303000-memory.dmp

Filesize
3.0MB

Download
memory/1384-77-0x0000000001D30000-0x0000000001DC0000-memory.dmp

Filesize
576KB

Download
memory/1556-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads