xloader | e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823

General

Target

e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe
Size

1007KB
MD5

05443965844c3f519abe3ac6427f2bb4
SHA1

e78758a72372214c0de08966c77a50cdbaf3559b
SHA256

e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823
SHA512

0763351b8e4495ecae3b67bc27279db647eb3adb5e7e5a68a1046526def81f0eb9efd1039cb59b586aa621003f0f9af7c2b121032b4ffc02b36170f06dce113f

Score

10^/10

xloader ahc8 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/5016-141-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe

description	pid	process	target process
PID 4364 set thread context of 5016	4364	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\0018C005F25AF418 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000006061355f83b10c79a8f41f22998be0eea9a94cf1e07c9fe116c0e8de74654c92000000000e800000000200002000000058465b3d1800ffb9d8a7a32b945acd66ad06ef6cc9da78d2e8ecd653839527dc80000000f6b882f29daae60bbadf40f99f26a606595456e71df9b530a886a6062a9a3ae95b47d6c4339a5fed1ec6c69b3746685a64bcb88f4149ae725dee0c85b4b3eccbf3500f093e01247b5844835c7f64b1d9ce607325e3d592d3d1eff465f83e7162eebcc785485d2565286fcb6fa890787714e7c0bddccce997b43304e116ea636840000000f6409d443088f46402fdee27c1cd32b33e8423dbbd596875d14fe9f03888551bef48c88b0b3bb5f66959181002095900b0e097653d6f1c848fab2a887d3a86ee	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000fbf0cac18cfd29eabc5b10520ff58beb1f37d15c61f8652160301ad908954889000000000e800000000200002000000094753414507c2d2e5a4243c20ac178eb221e1160fdd2aa8fd4702ad28a676e64100d0000364df13381041c36cbaf7d67dc0fdf5e5a2cfe1b85034e404aebbf717cd6651c44a42c7ffa4754ccab1f73dc0aa5e340ba9bd7534daa8182cd5b222bf0754dcc392bd9f8274982a309ec6fe207b2631d3798ea8a7048ee070c2563ec222b41c4033f3a393a8bd3db117557b4902d482639306b89eef7931883f2e7ccd083865bae1e573e667795e3e44e89740febef59e4839e47e764eaf529d49d25a1fb22e7f12cf07bf9c59cf588ee8472f3f89e1e5b8fd4955187113b7cd9e283bfb05af644d5487bede2c9a7ef2f2049214d5cca9c45cfac38dcf23b94a483679c8a54bcaef94a128314fff3d41cc2cdc0508f441e8eec8229fc1ba7b403856e3491192426fd1cf79470a7f932cc043ad44b720fdea1c0653441bf48a80809edf299d3959caa59b873a3642380ecd5f60270f0a1b49b23d2ab1b3ec01c13c9160593be2df13594d186eb0f7669387aaef4c33dfe4a807f67c30dc4fc56e04ff2d5f510e1e7df7ad32ee748924175f3c3c502b0e30a0cc0636e85de3e6cb8a0eedd9525614edda9e40a44a53db290f17161b41018d00f209d92f629c2eea4b0e2a2a0bff2df1c85cb604ae349fef3e091a99c853b51ef8b72bfaacea697405de7de3117e785adceae9b78c73e4f4891fbb184ebf7c189b552dbfcca330dbff8e38ea2e6b8be08ba49b38dbf4923ca9deaa12298de3a6fae071d021c9b2a453ded2f76d34e388439364bba9f2ffe4a821afa185c165a41cf4b1a780e052ab0851297e4560aa2ce7e6438d6b15a295f20ee13e56059072fdf25eca0b05d02c272acbac9c87fbbcbfa89199e5de80f0fb81a5f202cce248dd3a7d75e66d250acba761ef435cda09c099a87e7d4703ac780909228e163131b171bf0e7fc30e8e8668451589285e50fa23f81a6adb2066012dcff4582e7582bd1bd4937a46e201b71dc9a6192cbc32f966155f108892e72c1e27378965bf3c115e785f86b26096ed458e72644d05f4e754fd244dc0368a5f77c8f90443e5db726becaf5f72aae4a48947023f8357b82ce8066e69e3974a3c0e78c7f2ce710f48909377e70708242c0c51afd3664a6c850538dd985f3a243abd189c9adaa16026f9b79a1d8c5615a058f710a405904582cc802ce98050bc3c14ec8f31a3f164c2084198acd3f76a0626efb00a133b37fa616bed6ce65a40e4f80f4d788cf4535f497ded0c089cba88ecd78a0b60093ed9f66a87fbcc01e0da21f26d24a532ffaae9af5cfcade0d97bb0db89060abff7917f0c866ee400c72331e46ccb754025212cb64dedd1a8efddaded18fb3d35ea4f618c62aed4997a6712062eadd2c565aa5a28c1edcb9971dd3ae22f848a9229b19cbd1ddfc5132599c457db592802fb3ef3f6630cc4e6e66789ea7255c2639ab8e46286d57b28a30d2b2bfd180fa4fa7103f1733d83b82f5c7d09561111bbd6e89b74ed27f56e82788654e561229adfd3b9d09334284c4ee450409cdef6d4a8dfd257f96b33370de3f58e7af62bd287bab8efee85c76bca3d4bf13e22703f6bcef5f38a6aaf1c898948c20de866df0567a41945b5b1ae8f9968f9514ca16de6866aff6ca31dce65b3a1fe7c07ca263d1a182295ac2834b78987ceec11a6c622158091b51dd33306bcae2b80df391f7dd2d4e53e81d9c88bdc235800adf3b335977c8c5c3847b16c5b9a27dc930a75a3cc75fa4eff93ad5d25941f547aa202efff0001a89cedae5c9e71cb490ee8376ee3ab109520355c88e808c581918c7a4c624ce58fcab47c6ba021e739af57ffa97c2a12a10418726761492555b2ce736dd3ba11b303b33c3ebd7eb7b6f539e389af28cada0f70252c7ddf517b0ea507f1b2d3f2f5eaa027bfb42a9ec1a4ba1d0eb5f6834cda0cddecc7c9874d70480d03ad99faf8c0f13f6534c6f0be12e92520451e44457fdf70d00bd7ca43cc9f4673b0aed237a9fc2e1c959b0a52a7ee31c1c870bc3d0dc2d00e9f78d70dcb1003aa1418da9a3edeae85ac672b86d8c2a7c197524cead94050df5bd0a15c6a912af489e26be35776bdcf2b3630d4ea27826c19f426b8dc94edc2ee9600b704cf9037973c9ca6f82e0d49bbeda9482add22e4a04c00ab01dfae4d413517768b9bd45d6f2124576b6add905c9ab44416c14346254c12d29577ca51f0541aacf8f4ac9c8407bb1bf58fd6ae527d930359b6bcaf7b96a69b4f8f4b4714d9d6f15df0c753b72f9fc1674514a2d446ca56b5f4632d1ae1b89c4469149a3fd9c313d24356076f7e347b17c13e8530fa6210ae0ce4ee2f0518f5ee598e27e7ced01e9acf4420ee95a7a7d4a10e2bd8e58478b973c30dfa55f1268230b93b86f430d5c252d1dca51b51b7e9a1bad340bb4e5388a099b27408ec64c041875bd0088a8b998a2a6d75b9d4c06fb954c3c32975f5ec422524a08c8b6b8750f67f9cf43d55aece4c7000a19e697890f18ba4338de134fb62f3b164726d95f19e55baaa53a07339bf55431c8b5e01ba3c83ece9f9082e00b7784ba2230136e1cf92b35302c3744b629e0ab6fd64ae8e63fc89fc0b19fe594fab2dc4fbd426325f9cd47ac7417640286041cff1d8efe4c332b9128caeb83c7a46eb79d0437cebf92f65bbcba888d73d0e949c474df5fa59c7c8607204575005dfc06aaf28f6dbeadfb63f328f63c4e9156355eb11b7c1b5416a0557f0677ef6ef0b7a2b51a42a68c5d15952b093b18e8981e84f1bd5896c911266d5ba0246be0625a68d4edc75817b7900f76b377b73cb223b363ab27b2c4e61af942a48069133c2a1ce1a6080381f6077b6afd4f9e9ad8686a1dc8f0b8dd7506cca4a7e68e2a59cec9d3c2552797a14b878a78a9613b8d35ee04c689c9acfbc7582dba1bf577551a8e943e07c9212099c1938cc57960320acaba724e5565284ef43de3e837eaea7949ac97ff199ee951959fcfbf716a99aace047ca217b7c451b26f51b1d5ed4bb56a0d7de87bcad2d2ef92760e6ca021f38f4f154b466fe2fd40d39114e25eb1cf403c0dfac3fd1f06222648310ed646c79174e708044d54628c32b73355b80a1636c30ddf2ac262869391cf154337cb367f6858b2b0175340d9c22f2fd9a657c0755213da2c225f6b29c06c86b83c02563738bcf69c0afadffdc6c57820cdeab9f688a3608afa72dfc771fd6dde89532d67add9d25e1350f9de60cc24890d46198ee06b4165bc9ff969dc2e65f1b3f4e8597b158d07ca2c09c3ba0cca8233177cf1e3da3b889ca64068d3d7065f5c628959a793d3069d1c9c75ab30c4b387170aff301b10737c6d4db26cc4f1293484e5cd3326e999957bfeee85ef7263adda79dd0989385704073e9e368385fe1b54a04863da0999c001ad408b6648ad9b567fcd5b8b147f38c9f00cb09d6c0d0e6fc3876543a1c27ef4abcc7665678e3120b13458a04d89946fcef4df5a2756556d7374584158902372f459b1e9fedafc9f79b83f261e7c6e37c411f752dbc60925cdedf24b1b6416e38064b49d1d94beb045f23f8a1b4104c56178ca3d8d388b5a41155d1371b65190b633e41b4a6b3b13598625e128e470a5a33f88f4e695de1b686a74472182cb3b540ad551bcb346de10fb515c3782b3ab31741ecb226d14787e2894457dbf717d31b01835af87fd459dfe9ce7958ab00ad3f6c2962aedb979516904599405d159697c070517645d7fb3f54d6c666c0a53a4316f3c0d781cde4e1108850ad9d0124f8a2a9ccbd4bff726879cee1c6df5850d02f52c84d116f794c47fe483ca7504e35ed800ef53f098dbc86cf0d9876fb862b8495f2c1c5aaeecf8e04a735cb85e887b833ce04e508ad5f89f4f672e61227f663628da1a2482bf456399480438aa1c9427d8cfeffab35afb16b5e531ef818d4cb414d5e059da66aaf04ca8d409817e08d1f9427fd92af0f6571652406d45d31a3c4812345a1acc450640a80317cd13fed152b6d68471839cc5c58cf044292d9d348529095e54f3aa445a9cf80c8f3080403bdea8d15bc9f152522536355843c67f3b0c40ae96662bb4dc00102fb15ca83997e02e7e364a1ad27b923ed7f05d3bb072491f7638eec7caef79f8c8fb799a64094ab69812537172911d1261bcd5831b4a315842e9327eb3258236bab3795c2303190abd55c37ba68b3cc52c7c9e57f4f360dbc741a7a14ab3c31b01ef4fda16c4841405412f365432ac8543a368dbb066b25dcbd04f48997469db6734be65912f4a3f4f14c09e42c9726ba68766a1774d8bfe738d5d3382d3ff51ff01906c9c0c032089694643b88cd67d960b6a4b858003c9bc808f563b34b95f5997d357485065f1ebb85484b37ca1dfd9ed71ff14b23faf6067d4e20bd60361c6fa021405f1160c557b201e3547588e2494450f33022d0c74683ed5cf820fecf47724bbd141109644411e169a9a3060eeed6468df09816d391053ed70b8ae904600027e4e7e03705ee169fb2e3d55b48bcb398be43c517fb61a5d27afe5a5483bd64b0acc755770fe2ab78a6232f06cb0bc9aa2d93a59323d75cbe91d95144ae4d36c4e82d76638e0373e15fe2c72260b4156b1bb33bf1ef9993fdb0c95ad13680418d2068df5c2195d3622c768ad08acf15043f5e794901adffd90838b322351ab98f1195508f1c539a37729b6e9004a091d7f2424e3526a0240b712292b7e949a373d6e6f773a167319943675a64ca084e303c8fc50d5d7907c93936dac9ddfb168b2469e2b5b400000006669acbe9fd40e72518c1af359ed78dd9ea7d9e7c72db0582deb620ab1281214c5350ee72c2055c5ac451741151c38538d097c5b5105534f7b654a8a3d345ac3	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "0018C005F25AF418"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exee789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe

pid	process
4364	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe
4364	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe
5016	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe
5016	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe

description pid process

Token: SeDebugPrivilege 4364 e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe

description	pid	process
Token: SeDebugPrivilege	4364	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe

description	pid	process	target process
PID 4364 wrote to memory of 2980	4364	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe
PID 4364 wrote to memory of 2980	4364	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe
PID 4364 wrote to memory of 2980	4364	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe
PID 4364 wrote to memory of 5016	4364	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe
PID 4364 wrote to memory of 5016	4364	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe
PID 4364 wrote to memory of 5016	4364	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe
PID 4364 wrote to memory of 5016	4364	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe
PID 4364 wrote to memory of 5016	4364	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe
PID 4364 wrote to memory of 5016	4364	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe	e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe

C:\Users\Admin\AppData\Local\Temp\e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe
"C:\Users\Admin\AppData\Local\Temp\e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364

C:\Users\Admin\AppData\Local\Temp\e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe
"C:\Users\Admin\AppData\Local\Temp\e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe"
2⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe
"C:\Users\Admin\AppData\Local\Temp\e789763966dffd326114e10b489f2a3b981ccd11f189028704dbbd9a10d33823.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:4340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2980-139-0x0000000000000000-mapping.dmp

Download
memory/4364-134-0x00000000009A0000-0x0000000000AA2000-memory.dmp

Filesize
1.0MB

Download
memory/4364-135-0x0000000005AE0000-0x0000000006084000-memory.dmp

Filesize
5.6MB

Download
memory/4364-136-0x0000000005440000-0x00000000054D2000-memory.dmp

Filesize
584KB

Download
memory/4364-137-0x00000000054F0000-0x00000000054FA000-memory.dmp

Filesize
40KB

Download
memory/4364-138-0x0000000008FB0000-0x000000000904C000-memory.dmp

Filesize
624KB

Download
memory/5016-140-0x0000000000000000-mapping.dmp

Download
memory/5016-141-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5016-142-0x0000000001180000-0x00000000014CA000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads