xloader | 413e58ab30e56edfaa7899ebe3fc8655314c993db5a0d1840100752ba6be0be0

General

Target

dekont 2022.exe
Size

219KB
MD5

b432fee7f4857a9ad25f143b2ac645a9
SHA1

cd7beb58da064e0caebcc5604893bb3be6568b45
SHA256

413e58ab30e56edfaa7899ebe3fc8655314c993db5a0d1840100752ba6be0be0
SHA512

55558e311529a70cbb6406ea0e1bf409328960e23ee0bb961768ea5c11dd2476da8dd2cc12cff2945fc8e97ba9f99342c866c9b91fc47a42e082178bd3144ec8

Score

10^/10

xloader cbgo loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cbgo

Decoy

santesha.com

britneysbeautybar.com

sh-cy17.com

jeffcarveragency.com

3117111.com

sobrehosting.net

ddm123.xyz

toxcompliance.com

auditorydesigns.com

vliftfacial.com

ielhii.com

naameliss.com

ritualchariot.com

solchange.com

quatre-vingts.design

lawnmowermashine.com

braceletsstore.net

admappy.com

tollivercoltd.com

vaidix.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4832-136-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4832-139-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4760-145-0x0000000000200000-0x0000000000229000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

mjabhrxdeb.exemjabhrxdeb.exe

pid process

4576 mjabhrxdeb.exe
4832 mjabhrxdeb.exe

pid	process
4576	mjabhrxdeb.exe
4832	mjabhrxdeb.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

mjabhrxdeb.exemjabhrxdeb.execmd.exe

description	pid	process	target process
PID 4576 set thread context of 4832	4576	mjabhrxdeb.exe	mjabhrxdeb.exe
PID 4832 set thread context of 8	4832	mjabhrxdeb.exe	Explorer.EXE
PID 4760 set thread context of 8	4760	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

mjabhrxdeb.execmd.exe

pid	process
4832	mjabhrxdeb.exe
4832	mjabhrxdeb.exe
4832	mjabhrxdeb.exe
4832	mjabhrxdeb.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe
4760	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

8 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

mjabhrxdeb.execmd.exe

pid process

4832 mjabhrxdeb.exe
4832 mjabhrxdeb.exe
4832 mjabhrxdeb.exe
4760 cmd.exe
4760 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mjabhrxdeb.execmd.exe

description pid process

Token: SeDebugPrivilege 4832 mjabhrxdeb.exe
Token: SeDebugPrivilege 4760 cmd.exe

pid	process
8	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4832	mjabhrxdeb.exe
Token: SeDebugPrivilege	4760	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

dekont 2022.exemjabhrxdeb.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4468 wrote to memory of 4576	4468	dekont 2022.exe	mjabhrxdeb.exe
PID 4468 wrote to memory of 4576	4468	dekont 2022.exe	mjabhrxdeb.exe
PID 4468 wrote to memory of 4576	4468	dekont 2022.exe	mjabhrxdeb.exe
PID 4576 wrote to memory of 4832	4576	mjabhrxdeb.exe	mjabhrxdeb.exe
PID 4576 wrote to memory of 4832	4576	mjabhrxdeb.exe	mjabhrxdeb.exe
PID 4576 wrote to memory of 4832	4576	mjabhrxdeb.exe	mjabhrxdeb.exe
PID 4576 wrote to memory of 4832	4576	mjabhrxdeb.exe	mjabhrxdeb.exe
PID 4576 wrote to memory of 4832	4576	mjabhrxdeb.exe	mjabhrxdeb.exe
PID 4576 wrote to memory of 4832	4576	mjabhrxdeb.exe	mjabhrxdeb.exe
PID 8 wrote to memory of 4760	8	Explorer.EXE	cmd.exe
PID 8 wrote to memory of 4760	8	Explorer.EXE	cmd.exe
PID 8 wrote to memory of 4760	8	Explorer.EXE	cmd.exe
PID 4760 wrote to memory of 4636	4760	cmd.exe	cmd.exe
PID 4760 wrote to memory of 4636	4760	cmd.exe	cmd.exe
PID 4760 wrote to memory of 4636	4760	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:8

C:\Users\Admin\AppData\Local\Temp\dekont 2022.exe
"C:\Users\Admin\AppData\Local\Temp\dekont 2022.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Users\Admin\AppData\Local\Temp\mjabhrxdeb.exe
C:\Users\Admin\AppData\Local\Temp\mjabhrxdeb.exe C:\Users\Admin\AppData\Local\Temp\snialyaeho
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4576

C:\Users\Admin\AppData\Local\Temp\mjabhrxdeb.exe
C:\Users\Admin\AppData\Local\Temp\mjabhrxdeb.exe C:\Users\Admin\AppData\Local\Temp\snialyaeho
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\mjabhrxdeb.exe"
3⤵
PID:4636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mjabhrxdeb.exe
Filesize
65KB

MD5
ebc78b15b08cbdbe9d97f4c4a1d2f581

SHA1
3b11c202e6a2fe5bf518854f6ba5aa722fed1cf5

SHA256
133d4e616c1d84e1210cbc95408fb9fa7c95647b964dc9d93cf0da0f18cec736

SHA512
6f93407a01c2a68de283a96b73a08f737de90c26c6781bc2b1c133b667d0fbc8ba14df0cb24a6915956d6e00c964b0a58301893a583141c8f580b009570cecdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjabhrxdeb.exe
Filesize
65KB

MD5
ebc78b15b08cbdbe9d97f4c4a1d2f581

SHA1
3b11c202e6a2fe5bf518854f6ba5aa722fed1cf5

SHA256
133d4e616c1d84e1210cbc95408fb9fa7c95647b964dc9d93cf0da0f18cec736

SHA512
6f93407a01c2a68de283a96b73a08f737de90c26c6781bc2b1c133b667d0fbc8ba14df0cb24a6915956d6e00c964b0a58301893a583141c8f580b009570cecdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjabhrxdeb.exe
Filesize
65KB

MD5
ebc78b15b08cbdbe9d97f4c4a1d2f581

SHA1
3b11c202e6a2fe5bf518854f6ba5aa722fed1cf5

SHA256
133d4e616c1d84e1210cbc95408fb9fa7c95647b964dc9d93cf0da0f18cec736

SHA512
6f93407a01c2a68de283a96b73a08f737de90c26c6781bc2b1c133b667d0fbc8ba14df0cb24a6915956d6e00c964b0a58301893a583141c8f580b009570cecdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\rd0vbkwpvw
Filesize
163KB

MD5
519f332951512ab70b509950d645576b

SHA1
4edb7ad778e85239cb03122e7fa2d80eb3b59f89

SHA256
213c9ea7d346397bfafeeb6cf96a92ff1072c870b47054eea468bbc856c3d801

SHA512
e4f81a56334d069368870dfdb80830d9ae8e4f290ad12b1b221be67365c1359d102395ddef7a3dad4e0cc35960fb598c0ffb680eda3004436a6b8861bafa27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\snialyaeho
Filesize
5KB

MD5
48c66b750085965860331ce2e105fec7

SHA1
95c87505daf5e871e5fc0f6e67a5ed9a38be818a

SHA256
3b9903268cf9e95f2ebb8275bc67230eefa3b59f8cfff1b7e9119473366017a2

SHA512
18358a00a936b4f58052477c5b1f6894cd994916ae94c606fed7fffc5280ba0e73d77a5f89781c5a5d974fca97c8d1b14bd760b5e138cc0d03f1c5f444cb3c16

Download Submit
memory/8-142-0x0000000008430000-0x0000000008584000-memory.dmp

Filesize
1.3MB

Download
memory/8-149-0x0000000008DA0000-0x0000000008EBF000-memory.dmp

Filesize
1.1MB

Download
memory/4576-130-0x0000000000000000-mapping.dmp

Download
memory/4636-147-0x0000000000000000-mapping.dmp

Download
memory/4760-143-0x0000000000000000-mapping.dmp

Download
memory/4760-145-0x0000000000200000-0x0000000000229000-memory.dmp

Filesize
164KB

Download
memory/4760-144-0x00000000002A0000-0x00000000002FA000-memory.dmp

Filesize
360KB

Download
memory/4760-146-0x0000000000D50000-0x000000000109A000-memory.dmp

Filesize
3.3MB

Download
memory/4760-148-0x0000000000B70000-0x0000000000C00000-memory.dmp

Filesize
576KB

Download
memory/4832-141-0x0000000000E90000-0x0000000000EA1000-memory.dmp

Filesize
68KB

Download
memory/4832-140-0x0000000000B40000-0x0000000000E8A000-memory.dmp

Filesize
3.3MB

Download
memory/4832-139-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4832-136-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4832-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads