xloader | 7443dce18b5523225353847f6dd17a2ec244c6c32e7f72df3937d2f85d74cff6

General

Target

virement.exe
Size

192KB
MD5

ace33d540a6a1564d93f63ca8e23e49f
SHA1

f7882beb571b12a4d2100672636e93d56fe76591
SHA256

706b938fc167d7ed1747b35cdbd650d476b210ef0c131d76b2e4269f1ab64142
SHA512

28bb6d85e81ee4b5e79921776eaae7e38386b6423fcf6ef139e6d8c45ed3585b1df0fe4340215fc2fda3b21e38687bc2514dd525e5ff210731eac7d744b88727

Score

10^/10

xloader cbgo loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cbgo

Decoy

santesha.com

britneysbeautybar.com

sh-cy17.com

jeffcarveragency.com

3117111.com

sobrehosting.net

ddm123.xyz

toxcompliance.com

auditorydesigns.com

vliftfacial.com

ielhii.com

naameliss.com

ritualchariot.com

solchange.com

quatre-vingts.design

lawnmowermashine.com

braceletsstore.net

admappy.com

tollivercoltd.com

vaidix.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4776-136-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3140-145-0x0000000001200000-0x0000000001229000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

mcqbjr.exemcqbjr.exe

pid process

3820 mcqbjr.exe
4776 mcqbjr.exe

pid	process
3820	mcqbjr.exe
4776	mcqbjr.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

mcqbjr.exemcqbjr.exeraserver.exe

description	pid	process	target process
PID 3820 set thread context of 4776	3820	mcqbjr.exe	mcqbjr.exe
PID 4776 set thread context of 2948	4776	mcqbjr.exe	Explorer.EXE
PID 3140 set thread context of 2948	3140	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

mcqbjr.exeraserver.exe

pid	process
4776	mcqbjr.exe
4776	mcqbjr.exe
4776	mcqbjr.exe
4776	mcqbjr.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe
3140	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2948 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

mcqbjr.exeraserver.exe

pid process

4776 mcqbjr.exe
4776 mcqbjr.exe
4776 mcqbjr.exe
3140 raserver.exe
3140 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mcqbjr.exeraserver.exe

description pid process

Token: SeDebugPrivilege 4776 mcqbjr.exe
Token: SeDebugPrivilege 3140 raserver.exe

pid	process
2948	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4776	mcqbjr.exe
Token: SeDebugPrivilege	3140	raserver.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

virement.exemcqbjr.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 4780 wrote to memory of 3820	4780	virement.exe	mcqbjr.exe
PID 4780 wrote to memory of 3820	4780	virement.exe	mcqbjr.exe
PID 4780 wrote to memory of 3820	4780	virement.exe	mcqbjr.exe
PID 3820 wrote to memory of 4776	3820	mcqbjr.exe	mcqbjr.exe
PID 3820 wrote to memory of 4776	3820	mcqbjr.exe	mcqbjr.exe
PID 3820 wrote to memory of 4776	3820	mcqbjr.exe	mcqbjr.exe
PID 3820 wrote to memory of 4776	3820	mcqbjr.exe	mcqbjr.exe
PID 3820 wrote to memory of 4776	3820	mcqbjr.exe	mcqbjr.exe
PID 3820 wrote to memory of 4776	3820	mcqbjr.exe	mcqbjr.exe
PID 2948 wrote to memory of 3140	2948	Explorer.EXE	raserver.exe
PID 2948 wrote to memory of 3140	2948	Explorer.EXE	raserver.exe
PID 2948 wrote to memory of 3140	2948	Explorer.EXE	raserver.exe
PID 3140 wrote to memory of 2424	3140	raserver.exe	cmd.exe
PID 3140 wrote to memory of 2424	3140	raserver.exe	cmd.exe
PID 3140 wrote to memory of 2424	3140	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2948

C:\Users\Admin\AppData\Local\Temp\virement.exe
"C:\Users\Admin\AppData\Local\Temp\virement.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4780

C:\Users\Admin\AppData\Local\Temp\mcqbjr.exe
C:\Users\Admin\AppData\Local\Temp\mcqbjr.exe C:\Users\Admin\AppData\Local\Temp\ymjyo
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3820

C:\Users\Admin\AppData\Local\Temp\mcqbjr.exe
C:\Users\Admin\AppData\Local\Temp\mcqbjr.exe C:\Users\Admin\AppData\Local\Temp\ymjyo
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\mcqbjr.exe"
3⤵
PID:2424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mcqbjr.exe
Filesize
4KB

MD5
4b9af23015cf192ba30f5fb48b04e1ed

SHA1
f0d736e2e3f618262fc03d28dd18bd39dd33ccb0

SHA256
c69396529e6e551fa86f14903de3bb846215f2fb698b061bbed8b748dbcec331

SHA512
52e04dc969b6a86efba28c4d47246cc127df948179205011741dffd7e89cc0373d81bcd7b4a125e80f8726bbed7c5296080ac45acdd94541595b51f31ae92c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcqbjr.exe
Filesize
4KB

MD5
4b9af23015cf192ba30f5fb48b04e1ed

SHA1
f0d736e2e3f618262fc03d28dd18bd39dd33ccb0

SHA256
c69396529e6e551fa86f14903de3bb846215f2fb698b061bbed8b748dbcec331

SHA512
52e04dc969b6a86efba28c4d47246cc127df948179205011741dffd7e89cc0373d81bcd7b4a125e80f8726bbed7c5296080ac45acdd94541595b51f31ae92c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcqbjr.exe
Filesize
4KB

MD5
4b9af23015cf192ba30f5fb48b04e1ed

SHA1
f0d736e2e3f618262fc03d28dd18bd39dd33ccb0

SHA256
c69396529e6e551fa86f14903de3bb846215f2fb698b061bbed8b748dbcec331

SHA512
52e04dc969b6a86efba28c4d47246cc127df948179205011741dffd7e89cc0373d81bcd7b4a125e80f8726bbed7c5296080ac45acdd94541595b51f31ae92c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzfe6zcmuslfe8o
Filesize
163KB

MD5
203fb66a1255f32efd830cc15df88ff6

SHA1
065928a65abe7ffdce403d78ff3b02de18139e3b

SHA256
d1e95ca2a7246294ddf7683b916c74c26dcfc1be9b62662584eaa3c3f80e4ace

SHA512
70e8fbb909340a2ea2d30848ef2294a9c066505bcf485e094a80a4fe6871e5cff159ec88f65e404f82eaea95c3aa03393836b2f82e7c5072c4a9885b5ec7b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymjyo
Filesize
5KB

MD5
31efea324cc20e2177eabf04e775b3e9

SHA1
40e7308181e8f9aefba17fca8fd6f0ee6a0a3ee3

SHA256
f89adf7ba463662b77f831b6a1628cb4c47f7b7e9f0e8cc4674a4ed0fb74610f

SHA512
8030fb466feafd1313e6364b05bd273347d7d4227138cef52c73f80231ae6b925a42351a178070bc05a15f90707b190e21a655637c7d943bb4466bde59029c58

Download Submit
memory/2424-146-0x0000000000000000-mapping.dmp

Download
memory/2948-141-0x0000000008720000-0x000000000881B000-memory.dmp

Filesize
1004KB

Download
memory/2948-148-0x0000000008B90000-0x0000000008CD1000-memory.dmp

Filesize
1.3MB

Download
memory/3140-144-0x0000000003190000-0x00000000034DA000-memory.dmp

Filesize
3.3MB

Download
memory/3140-142-0x0000000000000000-mapping.dmp

Download
memory/3140-143-0x0000000000E00000-0x0000000000E1F000-memory.dmp

Filesize
124KB

Download
memory/3140-145-0x0000000001200000-0x0000000001229000-memory.dmp

Filesize
164KB

Download
memory/3140-147-0x0000000002F10000-0x0000000002FA0000-memory.dmp

Filesize
576KB

Download
memory/3820-130-0x0000000000000000-mapping.dmp

Download
memory/4776-140-0x00000000009D0000-0x00000000009E1000-memory.dmp

Filesize
68KB

Download
memory/4776-139-0x0000000000A30000-0x0000000000D7A000-memory.dmp

Filesize
3.3MB

Download
memory/4776-136-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4776-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads