xloader | 413e58ab30e56edfaa7899ebe3fc8655314c993db5a0d1840100752ba6be0be0

General

Target

dekont 2022.exe
Size

219KB
MD5

b432fee7f4857a9ad25f143b2ac645a9
SHA1

cd7beb58da064e0caebcc5604893bb3be6568b45
SHA256

413e58ab30e56edfaa7899ebe3fc8655314c993db5a0d1840100752ba6be0be0
SHA512

55558e311529a70cbb6406ea0e1bf409328960e23ee0bb961768ea5c11dd2476da8dd2cc12cff2945fc8e97ba9f99342c866c9b91fc47a42e082178bd3144ec8

Score

10^/10

xloader cbgo loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cbgo

Decoy

santesha.com

britneysbeautybar.com

sh-cy17.com

jeffcarveragency.com

3117111.com

sobrehosting.net

ddm123.xyz

toxcompliance.com

auditorydesigns.com

vliftfacial.com

ielhii.com

naameliss.com

ritualchariot.com

solchange.com

quatre-vingts.design

lawnmowermashine.com

braceletsstore.net

admappy.com

tollivercoltd.com

vaidix.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1708-64-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1708-65-0x000000000041D450-mapping.dmp	xloader
behavioral1/memory/1128-74-0x00000000000B0000-0x00000000000D9000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

16 1128 wscript.exe
Executes dropped EXE 2 IoCs

Processes:

mjabhrxdeb.exemjabhrxdeb.exe

pid process

1736 mjabhrxdeb.exe
1708 mjabhrxdeb.exe
Loads dropped DLL 3 IoCs

Processes:

dekont 2022.exemjabhrxdeb.exe

pid process

1644 dekont 2022.exe
1644 dekont 2022.exe
1736 mjabhrxdeb.exe

flow	pid	process
16	1128	wscript.exe

pid	process
1736	mjabhrxdeb.exe
1708	mjabhrxdeb.exe

pid	process
1644	dekont 2022.exe
1644	dekont 2022.exe
1736	mjabhrxdeb.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

mjabhrxdeb.exemjabhrxdeb.exewscript.exe

description	pid	process	target process
PID 1736 set thread context of 1708	1736	mjabhrxdeb.exe	mjabhrxdeb.exe
PID 1708 set thread context of 1428	1708	mjabhrxdeb.exe	Explorer.EXE
PID 1128 set thread context of 1428	1128	wscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

mjabhrxdeb.exewscript.exe

pid	process
1708	mjabhrxdeb.exe
1708	mjabhrxdeb.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe
1128	wscript.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

mjabhrxdeb.exewscript.exe

pid process

1708 mjabhrxdeb.exe
1708 mjabhrxdeb.exe
1708 mjabhrxdeb.exe
1128 wscript.exe
1128 wscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mjabhrxdeb.exewscript.exe

description pid process

Token: SeDebugPrivilege 1708 mjabhrxdeb.exe
Token: SeDebugPrivilege 1128 wscript.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1428 Explorer.EXE
1428 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1428 Explorer.EXE
1428 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1708	mjabhrxdeb.exe
Token: SeDebugPrivilege	1128	wscript.exe

pid	process
1428	Explorer.EXE
1428	Explorer.EXE

pid	process
1428	Explorer.EXE
1428	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

dekont 2022.exemjabhrxdeb.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 1644 wrote to memory of 1736	1644	dekont 2022.exe	mjabhrxdeb.exe
PID 1644 wrote to memory of 1736	1644	dekont 2022.exe	mjabhrxdeb.exe
PID 1644 wrote to memory of 1736	1644	dekont 2022.exe	mjabhrxdeb.exe
PID 1644 wrote to memory of 1736	1644	dekont 2022.exe	mjabhrxdeb.exe
PID 1736 wrote to memory of 1708	1736	mjabhrxdeb.exe	mjabhrxdeb.exe
PID 1736 wrote to memory of 1708	1736	mjabhrxdeb.exe	mjabhrxdeb.exe
PID 1736 wrote to memory of 1708	1736	mjabhrxdeb.exe	mjabhrxdeb.exe
PID 1736 wrote to memory of 1708	1736	mjabhrxdeb.exe	mjabhrxdeb.exe
PID 1736 wrote to memory of 1708	1736	mjabhrxdeb.exe	mjabhrxdeb.exe
PID 1736 wrote to memory of 1708	1736	mjabhrxdeb.exe	mjabhrxdeb.exe
PID 1736 wrote to memory of 1708	1736	mjabhrxdeb.exe	mjabhrxdeb.exe
PID 1428 wrote to memory of 1128	1428	Explorer.EXE	wscript.exe
PID 1428 wrote to memory of 1128	1428	Explorer.EXE	wscript.exe
PID 1428 wrote to memory of 1128	1428	Explorer.EXE	wscript.exe
PID 1428 wrote to memory of 1128	1428	Explorer.EXE	wscript.exe
PID 1128 wrote to memory of 2016	1128	wscript.exe	cmd.exe
PID 1128 wrote to memory of 2016	1128	wscript.exe	cmd.exe
PID 1128 wrote to memory of 2016	1128	wscript.exe	cmd.exe
PID 1128 wrote to memory of 2016	1128	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\dekont 2022.exe
"C:\Users\Admin\AppData\Local\Temp\dekont 2022.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\mjabhrxdeb.exe
C:\Users\Admin\AppData\Local\Temp\mjabhrxdeb.exe C:\Users\Admin\AppData\Local\Temp\snialyaeho
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\mjabhrxdeb.exe
C:\Users\Admin\AppData\Local\Temp\mjabhrxdeb.exe C:\Users\Admin\AppData\Local\Temp\snialyaeho
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\mjabhrxdeb.exe"
3⤵
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mjabhrxdeb.exe
Filesize
65KB

MD5
ebc78b15b08cbdbe9d97f4c4a1d2f581

SHA1
3b11c202e6a2fe5bf518854f6ba5aa722fed1cf5

SHA256
133d4e616c1d84e1210cbc95408fb9fa7c95647b964dc9d93cf0da0f18cec736

SHA512
6f93407a01c2a68de283a96b73a08f737de90c26c6781bc2b1c133b667d0fbc8ba14df0cb24a6915956d6e00c964b0a58301893a583141c8f580b009570cecdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjabhrxdeb.exe
Filesize
65KB

MD5
ebc78b15b08cbdbe9d97f4c4a1d2f581

SHA1
3b11c202e6a2fe5bf518854f6ba5aa722fed1cf5

SHA256
133d4e616c1d84e1210cbc95408fb9fa7c95647b964dc9d93cf0da0f18cec736

SHA512
6f93407a01c2a68de283a96b73a08f737de90c26c6781bc2b1c133b667d0fbc8ba14df0cb24a6915956d6e00c964b0a58301893a583141c8f580b009570cecdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjabhrxdeb.exe
Filesize
65KB

MD5
ebc78b15b08cbdbe9d97f4c4a1d2f581

SHA1
3b11c202e6a2fe5bf518854f6ba5aa722fed1cf5

SHA256
133d4e616c1d84e1210cbc95408fb9fa7c95647b964dc9d93cf0da0f18cec736

SHA512
6f93407a01c2a68de283a96b73a08f737de90c26c6781bc2b1c133b667d0fbc8ba14df0cb24a6915956d6e00c964b0a58301893a583141c8f580b009570cecdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\rd0vbkwpvw
Filesize
163KB

MD5
519f332951512ab70b509950d645576b

SHA1
4edb7ad778e85239cb03122e7fa2d80eb3b59f89

SHA256
213c9ea7d346397bfafeeb6cf96a92ff1072c870b47054eea468bbc856c3d801

SHA512
e4f81a56334d069368870dfdb80830d9ae8e4f290ad12b1b221be67365c1359d102395ddef7a3dad4e0cc35960fb598c0ffb680eda3004436a6b8861bafa27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\snialyaeho
Filesize
5KB

MD5
48c66b750085965860331ce2e105fec7

SHA1
95c87505daf5e871e5fc0f6e67a5ed9a38be818a

SHA256
3b9903268cf9e95f2ebb8275bc67230eefa3b59f8cfff1b7e9119473366017a2

SHA512
18358a00a936b4f58052477c5b1f6894cd994916ae94c606fed7fffc5280ba0e73d77a5f89781c5a5d974fca97c8d1b14bd760b5e138cc0d03f1c5f444cb3c16

Download Submit
\Users\Admin\AppData\Local\Temp\mjabhrxdeb.exe
Filesize
65KB

MD5
ebc78b15b08cbdbe9d97f4c4a1d2f581

SHA1
3b11c202e6a2fe5bf518854f6ba5aa722fed1cf5

SHA256
133d4e616c1d84e1210cbc95408fb9fa7c95647b964dc9d93cf0da0f18cec736

SHA512
6f93407a01c2a68de283a96b73a08f737de90c26c6781bc2b1c133b667d0fbc8ba14df0cb24a6915956d6e00c964b0a58301893a583141c8f580b009570cecdd

Download Submit
\Users\Admin\AppData\Local\Temp\mjabhrxdeb.exe
Filesize
65KB

MD5
ebc78b15b08cbdbe9d97f4c4a1d2f581

SHA1
3b11c202e6a2fe5bf518854f6ba5aa722fed1cf5

SHA256
133d4e616c1d84e1210cbc95408fb9fa7c95647b964dc9d93cf0da0f18cec736

SHA512
6f93407a01c2a68de283a96b73a08f737de90c26c6781bc2b1c133b667d0fbc8ba14df0cb24a6915956d6e00c964b0a58301893a583141c8f580b009570cecdd

Download Submit
\Users\Admin\AppData\Local\Temp\mjabhrxdeb.exe
Filesize
65KB

MD5
ebc78b15b08cbdbe9d97f4c4a1d2f581

SHA1
3b11c202e6a2fe5bf518854f6ba5aa722fed1cf5

SHA256
133d4e616c1d84e1210cbc95408fb9fa7c95647b964dc9d93cf0da0f18cec736

SHA512
6f93407a01c2a68de283a96b73a08f737de90c26c6781bc2b1c133b667d0fbc8ba14df0cb24a6915956d6e00c964b0a58301893a583141c8f580b009570cecdd

Download Submit
memory/1128-71-0x0000000000000000-mapping.dmp

Download
memory/1128-73-0x00000000002E0000-0x0000000000306000-memory.dmp

Filesize
152KB

Download
memory/1128-76-0x0000000001EC0000-0x0000000001F50000-memory.dmp

Filesize
576KB

Download
memory/1128-75-0x0000000001F60000-0x0000000002263000-memory.dmp

Filesize
3.0MB

Download
memory/1128-74-0x00000000000B0000-0x00000000000D9000-memory.dmp

Filesize
164KB

Download
memory/1428-77-0x0000000004A50000-0x0000000004B1B000-memory.dmp

Filesize
812KB

Download
memory/1428-70-0x00000000068C0000-0x0000000006A0C000-memory.dmp

Filesize
1.3MB

Download
memory/1644-54-0x0000000076781000-0x0000000076783000-memory.dmp

Filesize
8KB

Download
memory/1708-64-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1708-69-0x00000000002B0000-0x00000000002C1000-memory.dmp

Filesize
68KB

Download
memory/1708-68-0x0000000000850000-0x0000000000B53000-memory.dmp

Filesize
3.0MB

Download
memory/1708-65-0x000000000041D450-mapping.dmp

Download
memory/1736-57-0x0000000000000000-mapping.dmp

Download
memory/2016-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads