xloader | c1bd0f2f3ac96d89502bb30e5397b77fd0801c400b6afe989d0b5d356b1926d0

General

Target

c1bd0f2f3ac96d89502bb30e5397b77fd0801c400b6afe989d0b5d356b1926d0.exe
Size

303KB
MD5

56f2db36ab627f09c22008f06ce17974
SHA1

72eea805c0d1f4eaa68de67b73e3479bfc54e4a1
SHA256

c1bd0f2f3ac96d89502bb30e5397b77fd0801c400b6afe989d0b5d356b1926d0
SHA512

8a4dba7f5d5f9901e4dd1cd6cd2b23c985838d882e093611e8309176747b809cef364b18c82f260119d4c82e8c55accdf5293753cb43ed99fb238f9da0ad2e52

Score

10^/10

xloader ahc8 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2556-119-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/3884-127-0x0000000002600000-0x0000000002629000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

drtvyqddpk.exedrtvyqddpk.exe

pid process

3572 drtvyqddpk.exe
2556 drtvyqddpk.exe

pid	process
3572	drtvyqddpk.exe
2556	drtvyqddpk.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

drtvyqddpk.exedrtvyqddpk.exewlanext.exe

description	pid	process	target process
PID 3572 set thread context of 2556	3572	drtvyqddpk.exe	drtvyqddpk.exe
PID 2556 set thread context of 2268	2556	drtvyqddpk.exe	Explorer.EXE
PID 3884 set thread context of 2268	3884	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

drtvyqddpk.exewlanext.exe

pid	process
2556	drtvyqddpk.exe
2556	drtvyqddpk.exe
2556	drtvyqddpk.exe
2556	drtvyqddpk.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe
3884	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2268 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

drtvyqddpk.exewlanext.exe

pid process

2556 drtvyqddpk.exe
2556 drtvyqddpk.exe
2556 drtvyqddpk.exe
3884 wlanext.exe
3884 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

drtvyqddpk.exewlanext.exe

description pid process

Token: SeDebugPrivilege 2556 drtvyqddpk.exe
Token: SeDebugPrivilege 3884 wlanext.exe

pid	process
2268	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2556	drtvyqddpk.exe
Token: SeDebugPrivilege	3884	wlanext.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

c1bd0f2f3ac96d89502bb30e5397b77fd0801c400b6afe989d0b5d356b1926d0.exedrtvyqddpk.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 3504 wrote to memory of 3572	3504	c1bd0f2f3ac96d89502bb30e5397b77fd0801c400b6afe989d0b5d356b1926d0.exe	drtvyqddpk.exe
PID 3504 wrote to memory of 3572	3504	c1bd0f2f3ac96d89502bb30e5397b77fd0801c400b6afe989d0b5d356b1926d0.exe	drtvyqddpk.exe
PID 3504 wrote to memory of 3572	3504	c1bd0f2f3ac96d89502bb30e5397b77fd0801c400b6afe989d0b5d356b1926d0.exe	drtvyqddpk.exe
PID 3572 wrote to memory of 2556	3572	drtvyqddpk.exe	drtvyqddpk.exe
PID 3572 wrote to memory of 2556	3572	drtvyqddpk.exe	drtvyqddpk.exe
PID 3572 wrote to memory of 2556	3572	drtvyqddpk.exe	drtvyqddpk.exe
PID 3572 wrote to memory of 2556	3572	drtvyqddpk.exe	drtvyqddpk.exe
PID 3572 wrote to memory of 2556	3572	drtvyqddpk.exe	drtvyqddpk.exe
PID 3572 wrote to memory of 2556	3572	drtvyqddpk.exe	drtvyqddpk.exe
PID 2268 wrote to memory of 3884	2268	Explorer.EXE	wlanext.exe
PID 2268 wrote to memory of 3884	2268	Explorer.EXE	wlanext.exe
PID 2268 wrote to memory of 3884	2268	Explorer.EXE	wlanext.exe
PID 3884 wrote to memory of 3792	3884	wlanext.exe	cmd.exe
PID 3884 wrote to memory of 3792	3884	wlanext.exe	cmd.exe
PID 3884 wrote to memory of 3792	3884	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2268

C:\Users\Admin\AppData\Local\Temp\c1bd0f2f3ac96d89502bb30e5397b77fd0801c400b6afe989d0b5d356b1926d0.exe
"C:\Users\Admin\AppData\Local\Temp\c1bd0f2f3ac96d89502bb30e5397b77fd0801c400b6afe989d0b5d356b1926d0.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3504

C:\Users\Admin\AppData\Local\Temp\drtvyqddpk.exe
C:\Users\Admin\AppData\Local\Temp\drtvyqddpk.exe C:\Users\Admin\AppData\Local\Temp\wmauhtegtt
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3572

C:\Users\Admin\AppData\Local\Temp\drtvyqddpk.exe
C:\Users\Admin\AppData\Local\Temp\drtvyqddpk.exe C:\Users\Admin\AppData\Local\Temp\wmauhtegtt
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\drtvyqddpk.exe"
3⤵
PID:3792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\30upuchg5wx5obyg
MD5
c57e8fe07739ebfd60a7fcec649903ec

SHA1
4feba783d40137ab2b2056686375f98042645732

SHA256
540c159b3d9c786ba87065c17e8ea40110d0a51f52c7baf91362544870c4da02

SHA512
36e2c0ca67bebc088110bb00e6c503ef1298bf13b295b852646cba025664825b6de9ff19031d3c30bf77e4d4200b4fa852c8214321e5de1dc8a019908eaf9d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\drtvyqddpk.exe
MD5
97b092c543bcbe563128a44a60121886

SHA1
660ea604d228f97c0eaf4e8cb9236214a505e375

SHA256
37b9df890d11a2ca96b79a1747ddf0833226c4b37323310c42d1126abd1073dc

SHA512
3c0180d001ae7fb9d7ad9f850041ee47d2bb7fa9791fc68af913083748571543c24b9c5fb4e0af9e582b0590bba63606375e5f27c0657b142d8c99bd34a27ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\drtvyqddpk.exe
MD5
97b092c543bcbe563128a44a60121886

SHA1
660ea604d228f97c0eaf4e8cb9236214a505e375

SHA256
37b9df890d11a2ca96b79a1747ddf0833226c4b37323310c42d1126abd1073dc

SHA512
3c0180d001ae7fb9d7ad9f850041ee47d2bb7fa9791fc68af913083748571543c24b9c5fb4e0af9e582b0590bba63606375e5f27c0657b142d8c99bd34a27ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\drtvyqddpk.exe
MD5
97b092c543bcbe563128a44a60121886

SHA1
660ea604d228f97c0eaf4e8cb9236214a505e375

SHA256
37b9df890d11a2ca96b79a1747ddf0833226c4b37323310c42d1126abd1073dc

SHA512
3c0180d001ae7fb9d7ad9f850041ee47d2bb7fa9791fc68af913083748571543c24b9c5fb4e0af9e582b0590bba63606375e5f27c0657b142d8c99bd34a27ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmauhtegtt
MD5
bdd7e616eb49e4f3e6ea838b5464cd4c

SHA1
92d3d469bb31b3d190973eb6209267214f09fd24

SHA256
b8a824fb0c24dfeccd74d759bd3b8e63a9987ad4f74ea68f8703bd5bc6bdefe8

SHA512
36d8e735b3cd339ac604d8ddb31721470625543549cf289e4e336345f5f245029fb723b22963041e1e8c01f070e67133d6b7e3ede6681badb4765f2883c6a7ad

Download Submit
memory/2268-130-0x0000000006010000-0x00000000060E6000-memory.dmp

Filesize
856KB

Download
memory/2268-125-0x0000000005E80000-0x0000000006009000-memory.dmp

Filesize
1.5MB

Download
memory/2556-119-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2556-121-0x0000000001690000-0x00000000019B0000-memory.dmp

Filesize
3.1MB

Download
memory/2556-124-0x0000000001160000-0x00000000012AA000-memory.dmp

Filesize
1.3MB

Download
memory/2556-123-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/3572-118-0x0000000000810000-0x0000000000812000-memory.dmp

Filesize
8KB

Download
memory/3884-127-0x0000000002600000-0x0000000002629000-memory.dmp

Filesize
164KB

Download
memory/3884-128-0x0000000002C60000-0x0000000002F80000-memory.dmp

Filesize
3.1MB

Download
memory/3884-129-0x0000000002930000-0x0000000002ABF000-memory.dmp

Filesize
1.6MB

Download
memory/3884-126-0x0000000000180000-0x0000000000197000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads