xloader | 264709538c4d306bfbf521a73d87b5753f38952b09f597ad405c934139a1082c

General

Target

VIREMENT.exe
Size

244KB
MD5

546ee858992bc35eaf00101cbb261471
SHA1

003d0953cd88b93206b92563779f76df890d31be
SHA256

264709538c4d306bfbf521a73d87b5753f38952b09f597ad405c934139a1082c
SHA512

1f2a8af32136206f8786daf92a7e55653a597cc762e1d8625964f8a84d3d82a12504d4b49047a149478151c83da421e238aff76535f4a180c627c42d271ebe10

Score

10^/10

xloader cbgo loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cbgo

Decoy

santesha.com

britneysbeautybar.com

sh-cy17.com

jeffcarveragency.com

3117111.com

sobrehosting.net

ddm123.xyz

toxcompliance.com

auditorydesigns.com

vliftfacial.com

ielhii.com

naameliss.com

ritualchariot.com

solchange.com

quatre-vingts.design

lawnmowermashine.com

braceletsstore.net

admappy.com

tollivercoltd.com

vaidix.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1360-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1360-64-0x000000000041D450-mapping.dmp	xloader
behavioral1/memory/1360-68-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1248-74-0x00000000000B0000-0x00000000000D9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

rybhocttcn.exerybhocttcn.exe

pid process

904 rybhocttcn.exe
1360 rybhocttcn.exe
Loads dropped DLL 2 IoCs

Processes:

VIREMENT.exerybhocttcn.exe

pid process

1396 VIREMENT.exe
904 rybhocttcn.exe

pid	process
904	rybhocttcn.exe
1360	rybhocttcn.exe

pid	process
1396	VIREMENT.exe
904	rybhocttcn.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

rybhocttcn.exerybhocttcn.execscript.exe

description	pid	process	target process
PID 904 set thread context of 1360	904	rybhocttcn.exe	rybhocttcn.exe
PID 1360 set thread context of 1224	1360	rybhocttcn.exe	Explorer.EXE
PID 1248 set thread context of 1224	1248	cscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

rybhocttcn.execscript.exe

pid	process
1360	rybhocttcn.exe
1360	rybhocttcn.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe
1248	cscript.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

rybhocttcn.execscript.exe

pid process

1360 rybhocttcn.exe
1360 rybhocttcn.exe
1360 rybhocttcn.exe
1248 cscript.exe
1248 cscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rybhocttcn.execscript.exe

description pid process

Token: SeDebugPrivilege 1360 rybhocttcn.exe
Token: SeDebugPrivilege 1248 cscript.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1224 Explorer.EXE
1224 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1224 Explorer.EXE
1224 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1360	rybhocttcn.exe
Token: SeDebugPrivilege	1248	cscript.exe

pid	process
1224	Explorer.EXE
1224	Explorer.EXE

pid	process
1224	Explorer.EXE
1224	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

VIREMENT.exerybhocttcn.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 1396 wrote to memory of 904	1396	VIREMENT.exe	rybhocttcn.exe
PID 1396 wrote to memory of 904	1396	VIREMENT.exe	rybhocttcn.exe
PID 1396 wrote to memory of 904	1396	VIREMENT.exe	rybhocttcn.exe
PID 1396 wrote to memory of 904	1396	VIREMENT.exe	rybhocttcn.exe
PID 904 wrote to memory of 1360	904	rybhocttcn.exe	rybhocttcn.exe
PID 904 wrote to memory of 1360	904	rybhocttcn.exe	rybhocttcn.exe
PID 904 wrote to memory of 1360	904	rybhocttcn.exe	rybhocttcn.exe
PID 904 wrote to memory of 1360	904	rybhocttcn.exe	rybhocttcn.exe
PID 904 wrote to memory of 1360	904	rybhocttcn.exe	rybhocttcn.exe
PID 904 wrote to memory of 1360	904	rybhocttcn.exe	rybhocttcn.exe
PID 904 wrote to memory of 1360	904	rybhocttcn.exe	rybhocttcn.exe
PID 1224 wrote to memory of 1248	1224	Explorer.EXE	cscript.exe
PID 1224 wrote to memory of 1248	1224	Explorer.EXE	cscript.exe
PID 1224 wrote to memory of 1248	1224	Explorer.EXE	cscript.exe
PID 1224 wrote to memory of 1248	1224	Explorer.EXE	cscript.exe
PID 1248 wrote to memory of 2044	1248	cscript.exe	cmd.exe
PID 1248 wrote to memory of 2044	1248	cscript.exe	cmd.exe
PID 1248 wrote to memory of 2044	1248	cscript.exe	cmd.exe
PID 1248 wrote to memory of 2044	1248	cscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Admin\AppData\Local\Temp\VIREMENT.exe
"C:\Users\Admin\AppData\Local\Temp\VIREMENT.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\rybhocttcn.exe
C:\Users\Admin\AppData\Local\Temp\rybhocttcn.exe C:\Users\Admin\AppData\Local\Temp\iuddhrt
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Local\Temp\rybhocttcn.exe
C:\Users\Admin\AppData\Local\Temp\rybhocttcn.exe C:\Users\Admin\AppData\Local\Temp\iuddhrt
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1272

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\rybhocttcn.exe"
3⤵
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9wei4rtongh1k80
Filesize
214KB

MD5
0660ddb1a12ffd13ed866ac74452867e

SHA1
ff8d9d5b97d4a4d7892f0a2deacd4857cf3d5a87

SHA256
13e305181e838369cfd34fb44bef4870375799c02f040b0668a194390ad787c5

SHA512
56c4697e4ea9cc817d479d34e9f366bd26f67f6c8cbddbf12c6c62afe339c7eb844870d4dc26e7b519626fc2b2d73fb31a7e5a4eb52d4cc2a42a132a49d3f59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iuddhrt
Filesize
4KB

MD5
96f41ec942e86ad8be144109d2d78c07

SHA1
8bf0832913fee0c280e3e1d1c784434e2bf281e1

SHA256
c14b2ec24e50483148c1eb42e32a40fe2b3d543082605c1aafbc51437c9a716d

SHA512
7e865127473a8a8dbf84d2eb02774f8ac2d4babe61842d61222f2950700ae3d47b3c0bdca4d37ad0bb8a64420b8abbd188f867375afe892136b683c9b4a5173b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rybhocttcn.exe
Filesize
6KB

MD5
48d6b64e066cb9c2af94223327e4f4fa

SHA1
ac744bbed52f912a030cbe4ff1820fc3dc59b72c

SHA256
d82de44e081d8a084d0d0928c740117a254bbfd62b1a37181ec784776c2b3129

SHA512
57e395594da0658ebf09e816a8403ad48dd17450e3c494568f1f6be1e785c26b1ed3899bc84571d725f4637d4bc65907c27af5deb591bbc6ac51424165fd0e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rybhocttcn.exe
Filesize
6KB

MD5
48d6b64e066cb9c2af94223327e4f4fa

SHA1
ac744bbed52f912a030cbe4ff1820fc3dc59b72c

SHA256
d82de44e081d8a084d0d0928c740117a254bbfd62b1a37181ec784776c2b3129

SHA512
57e395594da0658ebf09e816a8403ad48dd17450e3c494568f1f6be1e785c26b1ed3899bc84571d725f4637d4bc65907c27af5deb591bbc6ac51424165fd0e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rybhocttcn.exe
Filesize
6KB

MD5
48d6b64e066cb9c2af94223327e4f4fa

SHA1
ac744bbed52f912a030cbe4ff1820fc3dc59b72c

SHA256
d82de44e081d8a084d0d0928c740117a254bbfd62b1a37181ec784776c2b3129

SHA512
57e395594da0658ebf09e816a8403ad48dd17450e3c494568f1f6be1e785c26b1ed3899bc84571d725f4637d4bc65907c27af5deb591bbc6ac51424165fd0e3a

Download Submit
\Users\Admin\AppData\Local\Temp\rybhocttcn.exe
Filesize
6KB

MD5
48d6b64e066cb9c2af94223327e4f4fa

SHA1
ac744bbed52f912a030cbe4ff1820fc3dc59b72c

SHA256
d82de44e081d8a084d0d0928c740117a254bbfd62b1a37181ec784776c2b3129

SHA512
57e395594da0658ebf09e816a8403ad48dd17450e3c494568f1f6be1e785c26b1ed3899bc84571d725f4637d4bc65907c27af5deb591bbc6ac51424165fd0e3a

Download Submit
\Users\Admin\AppData\Local\Temp\rybhocttcn.exe
Filesize
6KB

MD5
48d6b64e066cb9c2af94223327e4f4fa

SHA1
ac744bbed52f912a030cbe4ff1820fc3dc59b72c

SHA256
d82de44e081d8a084d0d0928c740117a254bbfd62b1a37181ec784776c2b3129

SHA512
57e395594da0658ebf09e816a8403ad48dd17450e3c494568f1f6be1e785c26b1ed3899bc84571d725f4637d4bc65907c27af5deb591bbc6ac51424165fd0e3a

Download Submit
memory/904-56-0x0000000000000000-mapping.dmp

Download
memory/1224-77-0x0000000004070000-0x0000000004125000-memory.dmp

Filesize
724KB

Download
memory/1224-70-0x0000000004BA0000-0x0000000004CBF000-memory.dmp

Filesize
1.1MB

Download
memory/1248-71-0x0000000000000000-mapping.dmp

Download
memory/1248-76-0x0000000002240000-0x00000000022D0000-memory.dmp

Filesize
576KB

Download
memory/1248-74-0x00000000000B0000-0x00000000000D9000-memory.dmp

Filesize
164KB

Download
memory/1248-75-0x0000000001F30000-0x0000000002233000-memory.dmp

Filesize
3.0MB

Download
memory/1248-73-0x00000000006A0000-0x00000000006C2000-memory.dmp

Filesize
136KB

Download
memory/1360-64-0x000000000041D450-mapping.dmp

Download
memory/1360-68-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1360-69-0x0000000000180000-0x0000000000191000-memory.dmp

Filesize
68KB

Download
memory/1360-67-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download
memory/1360-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1396-54-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/2044-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads