xloader | 6cdd6c36d145369a75d707b389376e1c4854c927c6ba2635c59600e92bb7d050

General

Target

6cdd6c36d145369a75d707b389376e1c4854c927c6ba2635c59600e92bb7d050.exe
Size

339KB
MD5

8ca9c51a9d1c5ffd366b8bdf620aa5e3
SHA1

3ef8a19e0d2b81e82d5e8b492e687ef3baade09f
SHA256

6cdd6c36d145369a75d707b389376e1c4854c927c6ba2635c59600e92bb7d050
SHA512

2ac6376f38194d32fc181299b4f4ad70285ad4191ca0cfe377c30f71e964196827278ac1f3280d562b05d46378319570eea6d1c3e66c37c83c9128f348c91f9c

Score

10^/10

xloader ahc8 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3820-119-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/3820-120-0x000000000041D4F0-mapping.dmp	xloader
behavioral1/memory/3820-124-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/3848-129-0x0000000002FD0000-0x0000000002FF9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

hmikwdpqfm.exehmikwdpqfm.exe

pid process

3508 hmikwdpqfm.exe
3820 hmikwdpqfm.exe

pid	process
3508	hmikwdpqfm.exe
3820	hmikwdpqfm.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

hmikwdpqfm.exehmikwdpqfm.execmmon32.exe

description	pid	process	target process
PID 3508 set thread context of 3820	3508	hmikwdpqfm.exe	hmikwdpqfm.exe
PID 3820 set thread context of 2312	3820	hmikwdpqfm.exe	Explorer.EXE
PID 3848 set thread context of 2312	3848	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

hmikwdpqfm.execmmon32.exe

pid	process
3820	hmikwdpqfm.exe
3820	hmikwdpqfm.exe
3820	hmikwdpqfm.exe
3820	hmikwdpqfm.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe
3848	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2312 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

hmikwdpqfm.execmmon32.exe

pid process

3820 hmikwdpqfm.exe
3820 hmikwdpqfm.exe
3820 hmikwdpqfm.exe
3848 cmmon32.exe
3848 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

hmikwdpqfm.execmmon32.exe

description pid process

Token: SeDebugPrivilege 3820 hmikwdpqfm.exe
Token: SeDebugPrivilege 3848 cmmon32.exe

pid	process
2312	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3820	hmikwdpqfm.exe
Token: SeDebugPrivilege	3848	cmmon32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

6cdd6c36d145369a75d707b389376e1c4854c927c6ba2635c59600e92bb7d050.exehmikwdpqfm.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 2512 wrote to memory of 3508	2512	6cdd6c36d145369a75d707b389376e1c4854c927c6ba2635c59600e92bb7d050.exe	hmikwdpqfm.exe
PID 2512 wrote to memory of 3508	2512	6cdd6c36d145369a75d707b389376e1c4854c927c6ba2635c59600e92bb7d050.exe	hmikwdpqfm.exe
PID 2512 wrote to memory of 3508	2512	6cdd6c36d145369a75d707b389376e1c4854c927c6ba2635c59600e92bb7d050.exe	hmikwdpqfm.exe
PID 3508 wrote to memory of 3820	3508	hmikwdpqfm.exe	hmikwdpqfm.exe
PID 3508 wrote to memory of 3820	3508	hmikwdpqfm.exe	hmikwdpqfm.exe
PID 3508 wrote to memory of 3820	3508	hmikwdpqfm.exe	hmikwdpqfm.exe
PID 3508 wrote to memory of 3820	3508	hmikwdpqfm.exe	hmikwdpqfm.exe
PID 3508 wrote to memory of 3820	3508	hmikwdpqfm.exe	hmikwdpqfm.exe
PID 3508 wrote to memory of 3820	3508	hmikwdpqfm.exe	hmikwdpqfm.exe
PID 2312 wrote to memory of 3848	2312	Explorer.EXE	cmmon32.exe
PID 2312 wrote to memory of 3848	2312	Explorer.EXE	cmmon32.exe
PID 2312 wrote to memory of 3848	2312	Explorer.EXE	cmmon32.exe
PID 3848 wrote to memory of 3844	3848	cmmon32.exe	cmd.exe
PID 3848 wrote to memory of 3844	3848	cmmon32.exe	cmd.exe
PID 3848 wrote to memory of 3844	3848	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2312

C:\Users\Admin\AppData\Local\Temp\6cdd6c36d145369a75d707b389376e1c4854c927c6ba2635c59600e92bb7d050.exe
"C:\Users\Admin\AppData\Local\Temp\6cdd6c36d145369a75d707b389376e1c4854c927c6ba2635c59600e92bb7d050.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Local\Temp\hmikwdpqfm.exe
C:\Users\Admin\AppData\Local\Temp\hmikwdpqfm.exe C:\Users\Admin\AppData\Local\Temp\wmzaavkvn
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3508

C:\Users\Admin\AppData\Local\Temp\hmikwdpqfm.exe
C:\Users\Admin\AppData\Local\Temp\hmikwdpqfm.exe C:\Users\Admin\AppData\Local\Temp\wmzaavkvn
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3964

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\hmikwdpqfm.exe"
3⤵
PID:3844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hmikwdpqfm.exe
Filesize
5KB

MD5
82f727731cfd99adb7c7791024010ea6

SHA1
9097fed498c15365c893de751dc09202d0ec7b19

SHA256
c8c57849d145e4a6fb3b3504714c4ca2ba34a9d0fe84f0b62e2cdc0b1274499a

SHA512
f21e330eb6d2cfb89fc1335c9f917edd545765d4105cfdb28bb30caf4fbccd86770645a8f84f6d3566ff8b421c68d9186d760162572a5ca049cc9100c5b019ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmikwdpqfm.exe
Filesize
5KB

MD5
82f727731cfd99adb7c7791024010ea6

SHA1
9097fed498c15365c893de751dc09202d0ec7b19

SHA256
c8c57849d145e4a6fb3b3504714c4ca2ba34a9d0fe84f0b62e2cdc0b1274499a

SHA512
f21e330eb6d2cfb89fc1335c9f917edd545765d4105cfdb28bb30caf4fbccd86770645a8f84f6d3566ff8b421c68d9186d760162572a5ca049cc9100c5b019ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmikwdpqfm.exe
Filesize
5KB

MD5
82f727731cfd99adb7c7791024010ea6

SHA1
9097fed498c15365c893de751dc09202d0ec7b19

SHA256
c8c57849d145e4a6fb3b3504714c4ca2ba34a9d0fe84f0b62e2cdc0b1274499a

SHA512
f21e330eb6d2cfb89fc1335c9f917edd545765d4105cfdb28bb30caf4fbccd86770645a8f84f6d3566ff8b421c68d9186d760162572a5ca049cc9100c5b019ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmzaavkvn
Filesize
5KB

MD5
5e51dab26c8fed623ae87ddc2656dabb

SHA1
d7d5c786f063e4d133c88f745775a8b79a484bbe

SHA256
bbcd54d358af35a2e56ebf9957fc0ff26bdb58bc663156f4a338d074491dc8bd

SHA512
14315102e4b16b15a1bc1a92ecf9787451d39c0edc25dff31ee6bf87f1eb52d007ebc37d717626299d39126acef1204a37f1706e71aa2a69ce23e2dd12eb64c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzqne7xgv46yime5nwb2
Filesize
213KB

MD5
ac55129efa2fd551e4eceeaa2ff57bd6

SHA1
8736beea239a41de6c8d1358fad0f146819b711e

SHA256
18f06bb5d726cc75bb9acd624f9a95253a9c1f3d131a40f21d05617d9b59e2fd

SHA512
a23a913271b4e5b3cdffe870cf2aed0b78422e8d806c051dd768bb0b6aa11afcc9e6aa85102ae5e1e39fedf43d0ba9f0ea6fb6b21522c3bd4aa7997fffa55552

Download Submit
memory/2312-133-0x0000000000F70000-0x000000000102C000-memory.dmp

Filesize
752KB

Download
memory/2312-126-0x0000000005590000-0x000000000572C000-memory.dmp

Filesize
1.6MB

Download
memory/3508-114-0x0000000000000000-mapping.dmp

Download
memory/3820-123-0x0000000000E70000-0x0000000001190000-memory.dmp

Filesize
3.1MB

Download
memory/3820-124-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3820-125-0x0000000000CD0000-0x0000000000E6E000-memory.dmp

Filesize
1.6MB

Download
memory/3820-120-0x000000000041D4F0-mapping.dmp

Download
memory/3820-119-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3844-130-0x0000000000000000-mapping.dmp

Download
memory/3848-127-0x0000000000000000-mapping.dmp

Download
memory/3848-129-0x0000000002FD0000-0x0000000002FF9000-memory.dmp

Filesize
164KB

Download
memory/3848-128-0x0000000000220000-0x000000000022C000-memory.dmp

Filesize
48KB

Download
memory/3848-131-0x0000000004700000-0x0000000004A20000-memory.dmp

Filesize
3.1MB

Download
memory/3848-132-0x0000000004AB0000-0x0000000004B40000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads