xloader | 145f840479b9baa3431886abf20b30820f2cc5fe427c0d14390818c7e38ad3cd

General

Target

tmp.exe
Size

274KB
MD5

16c4a16f7bd751b068e65d81ba2f64cd
SHA1

3cc2679cb6af197f177481f7708bed0eed93f458
SHA256

145f840479b9baa3431886abf20b30820f2cc5fe427c0d14390818c7e38ad3cd
SHA512

8675970aa4fc84e3fc6e9b84b7189e8077a372e15b01be22bfd52877e2e6c94d439e213271d2554f242182fc9052b9b98148876e31096467c778cc508cad006f

Score

10^/10

xloader ahc8 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4204-138-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4204-143-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/448-147-0x0000000000BB0000-0x0000000000BD9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

hsssany.exehsssany.exe

pid process

4108 hsssany.exe
4204 hsssany.exe

pid	process
4108	hsssany.exe
4204	hsssany.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

hsssany.exehsssany.exerundll32.exe

description	pid	process	target process
PID 4108 set thread context of 4204	4108	hsssany.exe	hsssany.exe
PID 4204 set thread context of 2752	4204	hsssany.exe	Explorer.EXE
PID 448 set thread context of 2752	448	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

hsssany.exerundll32.exe

pid	process
4204	hsssany.exe
4204	hsssany.exe
4204	hsssany.exe
4204	hsssany.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2752 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

hsssany.exerundll32.exe

pid process

4204 hsssany.exe
4204 hsssany.exe
4204 hsssany.exe
448 rundll32.exe
448 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

hsssany.exerundll32.exe

description pid process

Token: SeDebugPrivilege 4204 hsssany.exe
Token: SeDebugPrivilege 448 rundll32.exe

pid	process
2752	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4204	hsssany.exe
Token: SeDebugPrivilege	448	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

tmp.exehsssany.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 2132 wrote to memory of 4108	2132	tmp.exe	hsssany.exe
PID 2132 wrote to memory of 4108	2132	tmp.exe	hsssany.exe
PID 2132 wrote to memory of 4108	2132	tmp.exe	hsssany.exe
PID 4108 wrote to memory of 4204	4108	hsssany.exe	hsssany.exe
PID 4108 wrote to memory of 4204	4108	hsssany.exe	hsssany.exe
PID 4108 wrote to memory of 4204	4108	hsssany.exe	hsssany.exe
PID 4108 wrote to memory of 4204	4108	hsssany.exe	hsssany.exe
PID 4108 wrote to memory of 4204	4108	hsssany.exe	hsssany.exe
PID 4108 wrote to memory of 4204	4108	hsssany.exe	hsssany.exe
PID 2752 wrote to memory of 448	2752	Explorer.EXE	rundll32.exe
PID 2752 wrote to memory of 448	2752	Explorer.EXE	rundll32.exe
PID 2752 wrote to memory of 448	2752	Explorer.EXE	rundll32.exe
PID 448 wrote to memory of 1188	448	rundll32.exe	cmd.exe
PID 448 wrote to memory of 1188	448	rundll32.exe	cmd.exe
PID 448 wrote to memory of 1188	448	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\hsssany.exe
C:\Users\Admin\AppData\Local\Temp\hsssany.exe C:\Users\Admin\AppData\Local\Temp\igjxkq
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4108

C:\Users\Admin\AppData\Local\Temp\hsssany.exe
C:\Users\Admin\AppData\Local\Temp\hsssany.exe C:\Users\Admin\AppData\Local\Temp\igjxkq
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\hsssany.exe"
3⤵
PID:1188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fki5xdwbhcbhpy
MD5
7fb21510f14fd999145c37cb54d191de

SHA1
7ce318c80c798dfcc6a601d531f49ed95134e9ce

SHA256
a20f4cce92d9bd4eb9c9e943514de908ea2ca9f666623c04de319dd7a7a67367

SHA512
483b8cbab3e6bd316b290a7cc8f9ae5316d5f8d843e37a26ec628172a038454c557569729eb5cf1ca7731c8781580109a0c9c0f7d2a4c12012d716e2aa0d8e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsssany.exe
MD5
a25a388c0f8ab3779421f0747163c39b

SHA1
22267c3ea32c9ff6077cc8eccab8e9704a8cd3f2

SHA256
f13565cdb210b49835f19fea5c535ae953c9e8a26ed7702b2fdf613a2c3e5959

SHA512
807bffd3a312cac816f7dea888af7918c639ebaec25f2afb0f8afdb408ca4ffe06feead3e745bc46c8ca5a4e0ccb5f279ebe7a19c768ddcc839505b26a28ead2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsssany.exe
MD5
a25a388c0f8ab3779421f0747163c39b

SHA1
22267c3ea32c9ff6077cc8eccab8e9704a8cd3f2

SHA256
f13565cdb210b49835f19fea5c535ae953c9e8a26ed7702b2fdf613a2c3e5959

SHA512
807bffd3a312cac816f7dea888af7918c639ebaec25f2afb0f8afdb408ca4ffe06feead3e745bc46c8ca5a4e0ccb5f279ebe7a19c768ddcc839505b26a28ead2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsssany.exe
MD5
a25a388c0f8ab3779421f0747163c39b

SHA1
22267c3ea32c9ff6077cc8eccab8e9704a8cd3f2

SHA256
f13565cdb210b49835f19fea5c535ae953c9e8a26ed7702b2fdf613a2c3e5959

SHA512
807bffd3a312cac816f7dea888af7918c639ebaec25f2afb0f8afdb408ca4ffe06feead3e745bc46c8ca5a4e0ccb5f279ebe7a19c768ddcc839505b26a28ead2

Download Submit
C:\Users\Admin\AppData\Local\Temp\igjxkq
MD5
1169886f2881955b7e4af98a4d4251d6

SHA1
ab0a023754e13727d7e76c7821da43667519c1aa

SHA256
f0c6b182474ca01313269fb8f3a1e8aa82c2389ae1b0ee919ff710a34519f320

SHA512
80a7794c370cee1babd3dde9e412cfdc4ab850a1654623e3a4fe5657e7ab88d4ae77efcbd15fa9560d405ff01a422a41d9e6569a508a9f8a8987c36fc479f314

Download Submit
memory/448-147-0x0000000000BB0000-0x0000000000BD9000-memory.dmp

Filesize
164KB

Download
memory/448-149-0x0000000002AF0000-0x0000000002B80000-memory.dmp

Filesize
576KB

Download
memory/448-148-0x0000000002D60000-0x00000000030AA000-memory.dmp

Filesize
3.3MB

Download
memory/448-146-0x0000000000500000-0x0000000000514000-memory.dmp

Filesize
80KB

Download
memory/2752-150-0x00000000033A0000-0x000000000348F000-memory.dmp

Filesize
956KB

Download
memory/2752-145-0x0000000008B80000-0x0000000008D19000-memory.dmp

Filesize
1.6MB

Download
memory/4108-140-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/4204-138-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4204-143-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4204-144-0x00000000005D0000-0x00000000005E1000-memory.dmp

Filesize
68KB

Download
memory/4204-142-0x0000000000A50000-0x0000000000D9A000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads