xloader | 7889cc6835fa2dad91efec45745239704b8d8ca2932ade574e92b9c28bf348c1

General

Target

odeme hk.exe
Size

241KB
MD5

15081733bdf5f7905acbd5c7a345843e
SHA1

331ccc05d3464742069af263f507931e5eeac1b1
SHA256

7889cc6835fa2dad91efec45745239704b8d8ca2932ade574e92b9c28bf348c1
SHA512

368d0ac3cf78688a8f8900d78794bd0102068aacebb19b64ec17229000d357b82e9e15daa0e2f7a99c8ef2ee5e90dde1830d2440eef3fdfaf194ea71fdfa3a65

Score

10^/10

xloader cbgo loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cbgo

Decoy

santesha.com

britneysbeautybar.com

sh-cy17.com

jeffcarveragency.com

3117111.com

sobrehosting.net

ddm123.xyz

toxcompliance.com

auditorydesigns.com

vliftfacial.com

ielhii.com

naameliss.com

ritualchariot.com

solchange.com

quatre-vingts.design

lawnmowermashine.com

braceletsstore.net

admappy.com

tollivercoltd.com

vaidix.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1644-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1644-64-0x000000000041D450-mapping.dmp	xloader
behavioral1/memory/1644-67-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1256-74-0x00000000000C0000-0x00000000000E9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

ubuuqdyno.exeubuuqdyno.exe

pid process

608 ubuuqdyno.exe
1644 ubuuqdyno.exe
Loads dropped DLL 2 IoCs

Processes:

odeme hk.exeubuuqdyno.exe

pid process

844 odeme hk.exe
608 ubuuqdyno.exe

pid	process
608	ubuuqdyno.exe
1644	ubuuqdyno.exe

pid	process
844	odeme hk.exe
608	ubuuqdyno.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ubuuqdyno.exeubuuqdyno.exechkdsk.exe

description	pid	process	target process
PID 608 set thread context of 1644	608	ubuuqdyno.exe	ubuuqdyno.exe
PID 1644 set thread context of 1212	1644	ubuuqdyno.exe	Explorer.EXE
PID 1256 set thread context of 1212	1256	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

ubuuqdyno.exechkdsk.exe

pid	process
1644	ubuuqdyno.exe
1644	ubuuqdyno.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe
1256	chkdsk.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

ubuuqdyno.exechkdsk.exe

pid process

1644 ubuuqdyno.exe
1644 ubuuqdyno.exe
1644 ubuuqdyno.exe
1256 chkdsk.exe
1256 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ubuuqdyno.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 1644 ubuuqdyno.exe
Token: SeDebugPrivilege 1256 chkdsk.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1644	ubuuqdyno.exe
Token: SeDebugPrivilege	1256	chkdsk.exe

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

odeme hk.exeubuuqdyno.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 844 wrote to memory of 608	844	odeme hk.exe	ubuuqdyno.exe
PID 844 wrote to memory of 608	844	odeme hk.exe	ubuuqdyno.exe
PID 844 wrote to memory of 608	844	odeme hk.exe	ubuuqdyno.exe
PID 844 wrote to memory of 608	844	odeme hk.exe	ubuuqdyno.exe
PID 608 wrote to memory of 1644	608	ubuuqdyno.exe	ubuuqdyno.exe
PID 608 wrote to memory of 1644	608	ubuuqdyno.exe	ubuuqdyno.exe
PID 608 wrote to memory of 1644	608	ubuuqdyno.exe	ubuuqdyno.exe
PID 608 wrote to memory of 1644	608	ubuuqdyno.exe	ubuuqdyno.exe
PID 608 wrote to memory of 1644	608	ubuuqdyno.exe	ubuuqdyno.exe
PID 608 wrote to memory of 1644	608	ubuuqdyno.exe	ubuuqdyno.exe
PID 608 wrote to memory of 1644	608	ubuuqdyno.exe	ubuuqdyno.exe
PID 1212 wrote to memory of 1256	1212	Explorer.EXE	chkdsk.exe
PID 1212 wrote to memory of 1256	1212	Explorer.EXE	chkdsk.exe
PID 1212 wrote to memory of 1256	1212	Explorer.EXE	chkdsk.exe
PID 1212 wrote to memory of 1256	1212	Explorer.EXE	chkdsk.exe
PID 1256 wrote to memory of 1972	1256	chkdsk.exe	cmd.exe
PID 1256 wrote to memory of 1972	1256	chkdsk.exe	cmd.exe
PID 1256 wrote to memory of 1972	1256	chkdsk.exe	cmd.exe
PID 1256 wrote to memory of 1972	1256	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\odeme hk.exe
"C:\Users\Admin\AppData\Local\Temp\odeme hk.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844

C:\Users\Admin\AppData\Local\Temp\ubuuqdyno.exe
C:\Users\Admin\AppData\Local\Temp\ubuuqdyno.exe C:\Users\Admin\AppData\Local\Temp\fshzyhg
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:608

C:\Users\Admin\AppData\Local\Temp\ubuuqdyno.exe
C:\Users\Admin\AppData\Local\Temp\ubuuqdyno.exe C:\Users\Admin\AppData\Local\Temp\fshzyhg
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ubuuqdyno.exe"
3⤵
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fshzyhg
Filesize
5KB

MD5
75b4f8755ff2ecc70c316c4ce039d29d

SHA1
1442f83eecdcbc8bb65071cbf859faa73795f797

SHA256
af93c6c36b842b448ecb49550bf1f27a4bb9f204b4ac70b9d734e42a1166a058

SHA512
0f3fd416b9bf2e139cd9647350bfba0cb8f2d5e3de0d75ca4a38c5b6235d88c5f6e6a43ee576a42fd2368fec52b52ec6ef2e4b7593133d3905ed4db2fbb9f0aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\l8xl4238km
Filesize
210KB

MD5
a69d842a43379bb716147690297fe08a

SHA1
50c798ad129f2b4dd6bfbd8d7c7e4dbc0cedec96

SHA256
fa68b75094fb6aaaba539ad87d4e71300f5b396970be859d0c78dc293566bbce

SHA512
5aafc57c2994c5d88a272d2e644d8a7db522caf4956cd755fdb87873c4e2651041aaa71b21dd11d063b643eeedf26e44c40527821da01ec50ef5fb868730261c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubuuqdyno.exe
Filesize
7KB

MD5
f7ecfabdcba23a6e3f742acc5b5f9bd9

SHA1
223d7d6b58433976b17d27ae9be4b63bccb04a51

SHA256
207fe257d8082772686366c4702a86d283b472f13544cad8a2dd60f0d24beac7

SHA512
61d9ee56ff2b34a5037a38d54c13714e568fa34cd6a1af38580e13652fa3c19bc5f7b46664a5bf60e09decaca96ee989812056c3ecb51185df6ee2bdb97cbbb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubuuqdyno.exe
Filesize
7KB

MD5
f7ecfabdcba23a6e3f742acc5b5f9bd9

SHA1
223d7d6b58433976b17d27ae9be4b63bccb04a51

SHA256
207fe257d8082772686366c4702a86d283b472f13544cad8a2dd60f0d24beac7

SHA512
61d9ee56ff2b34a5037a38d54c13714e568fa34cd6a1af38580e13652fa3c19bc5f7b46664a5bf60e09decaca96ee989812056c3ecb51185df6ee2bdb97cbbb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubuuqdyno.exe
Filesize
7KB

MD5
f7ecfabdcba23a6e3f742acc5b5f9bd9

SHA1
223d7d6b58433976b17d27ae9be4b63bccb04a51

SHA256
207fe257d8082772686366c4702a86d283b472f13544cad8a2dd60f0d24beac7

SHA512
61d9ee56ff2b34a5037a38d54c13714e568fa34cd6a1af38580e13652fa3c19bc5f7b46664a5bf60e09decaca96ee989812056c3ecb51185df6ee2bdb97cbbb3

Download Submit
\Users\Admin\AppData\Local\Temp\ubuuqdyno.exe
Filesize
7KB

MD5
f7ecfabdcba23a6e3f742acc5b5f9bd9

SHA1
223d7d6b58433976b17d27ae9be4b63bccb04a51

SHA256
207fe257d8082772686366c4702a86d283b472f13544cad8a2dd60f0d24beac7

SHA512
61d9ee56ff2b34a5037a38d54c13714e568fa34cd6a1af38580e13652fa3c19bc5f7b46664a5bf60e09decaca96ee989812056c3ecb51185df6ee2bdb97cbbb3

Download Submit
\Users\Admin\AppData\Local\Temp\ubuuqdyno.exe
Filesize
7KB

MD5
f7ecfabdcba23a6e3f742acc5b5f9bd9

SHA1
223d7d6b58433976b17d27ae9be4b63bccb04a51

SHA256
207fe257d8082772686366c4702a86d283b472f13544cad8a2dd60f0d24beac7

SHA512
61d9ee56ff2b34a5037a38d54c13714e568fa34cd6a1af38580e13652fa3c19bc5f7b46664a5bf60e09decaca96ee989812056c3ecb51185df6ee2bdb97cbbb3

Download Submit
memory/608-56-0x0000000000000000-mapping.dmp

Download
memory/844-54-0x0000000075541000-0x0000000075543000-memory.dmp

Filesize
8KB

Download
memory/1212-77-0x0000000003E00000-0x0000000003ECF000-memory.dmp

Filesize
828KB

Download
memory/1212-70-0x0000000006060000-0x00000000061AA000-memory.dmp

Filesize
1.3MB

Download
memory/1256-73-0x0000000000E70000-0x0000000000E77000-memory.dmp

Filesize
28KB

Download
memory/1256-76-0x0000000000900000-0x0000000000990000-memory.dmp

Filesize
576KB

Download
memory/1256-75-0x0000000000B40000-0x0000000000E43000-memory.dmp

Filesize
3.0MB

Download
memory/1256-74-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/1256-71-0x0000000000000000-mapping.dmp

Download
memory/1644-64-0x000000000041D450-mapping.dmp

Download
memory/1644-69-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/1644-68-0x0000000000490000-0x00000000004A1000-memory.dmp

Filesize
68KB

Download
memory/1644-67-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1644-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1972-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads