xloader | 41752d18a6da546687259e730e12313a804b313d041631262df801ef5d092569

General

Target

virement file gfx256.exe
Size

219KB
MD5

4105db4e41a2c9399768201b068a2a8c
SHA1

d89976b120c88dc5cd57fc78a35d5474f53a34bb
SHA256

41752d18a6da546687259e730e12313a804b313d041631262df801ef5d092569
SHA512

9380a3dfa62d3baf8b41102a04104da523d3cd5e871ee955abd49230f4fa063fbc9205dad6202856a8b7edd063d44556b0ae282577590782c4a4d5dbd950a883

Score

10^/10

xloader cbgo loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cbgo

Decoy

santesha.com

britneysbeautybar.com

sh-cy17.com

jeffcarveragency.com

3117111.com

sobrehosting.net

ddm123.xyz

toxcompliance.com

auditorydesigns.com

vliftfacial.com

ielhii.com

naameliss.com

ritualchariot.com

solchange.com

quatre-vingts.design

lawnmowermashine.com

braceletsstore.net

admappy.com

tollivercoltd.com

vaidix.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2156-136-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2156-140-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3664-145-0x00000000006F0000-0x0000000000719000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

wtuklosens.exewtuklosens.exe

pid process

2356 wtuklosens.exe
2156 wtuklosens.exe

pid	process
2356	wtuklosens.exe
2156	wtuklosens.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

wtuklosens.exewtuklosens.exemsdt.exe

description	pid	process	target process
PID 2356 set thread context of 2156	2356	wtuklosens.exe	wtuklosens.exe
PID 2156 set thread context of 3152	2156	wtuklosens.exe	Explorer.EXE
PID 3664 set thread context of 3152	3664	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

wtuklosens.exemsdt.exe

pid	process
2156	wtuklosens.exe
2156	wtuklosens.exe
2156	wtuklosens.exe
2156	wtuklosens.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe
3664	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3152 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

wtuklosens.exemsdt.exe

pid process

2156 wtuklosens.exe
2156 wtuklosens.exe
2156 wtuklosens.exe
3664 msdt.exe
3664 msdt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wtuklosens.exemsdt.exe

description pid process

Token: SeDebugPrivilege 2156 wtuklosens.exe
Token: SeDebugPrivilege 3664 msdt.exe

pid	process
3152	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2156	wtuklosens.exe
Token: SeDebugPrivilege	3664	msdt.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

virement file gfx256.exewtuklosens.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 2428 wrote to memory of 2356	2428	virement file gfx256.exe	wtuklosens.exe
PID 2428 wrote to memory of 2356	2428	virement file gfx256.exe	wtuklosens.exe
PID 2428 wrote to memory of 2356	2428	virement file gfx256.exe	wtuklosens.exe
PID 2356 wrote to memory of 2156	2356	wtuklosens.exe	wtuklosens.exe
PID 2356 wrote to memory of 2156	2356	wtuklosens.exe	wtuklosens.exe
PID 2356 wrote to memory of 2156	2356	wtuklosens.exe	wtuklosens.exe
PID 2356 wrote to memory of 2156	2356	wtuklosens.exe	wtuklosens.exe
PID 2356 wrote to memory of 2156	2356	wtuklosens.exe	wtuklosens.exe
PID 2356 wrote to memory of 2156	2356	wtuklosens.exe	wtuklosens.exe
PID 3152 wrote to memory of 3664	3152	Explorer.EXE	msdt.exe
PID 3152 wrote to memory of 3664	3152	Explorer.EXE	msdt.exe
PID 3152 wrote to memory of 3664	3152	Explorer.EXE	msdt.exe
PID 3664 wrote to memory of 2472	3664	msdt.exe	cmd.exe
PID 3664 wrote to memory of 2472	3664	msdt.exe	cmd.exe
PID 3664 wrote to memory of 2472	3664	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\virement file gfx256.exe
"C:\Users\Admin\AppData\Local\Temp\virement file gfx256.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Users\Admin\AppData\Local\Temp\wtuklosens.exe
C:\Users\Admin\AppData\Local\Temp\wtuklosens.exe C:\Users\Admin\AppData\Local\Temp\ixvcuspnim
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\wtuklosens.exe
C:\Users\Admin\AppData\Local\Temp\wtuklosens.exe C:\Users\Admin\AppData\Local\Temp\ixvcuspnim
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\wtuklosens.exe"
3⤵
PID:2472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ixvcuspnim
Filesize
4KB

MD5
336a7e42fb23d1284b1efbd661a930df

SHA1
63340b3a24fb5577aa9d7391836786418691df0b

SHA256
a2c7b92b2e21cd1a90e14418cf3243c6ce98c81e4c5fa63220b3345dbb05485e

SHA512
b9690f304cf6d9b3634f0836e2a09d4b1b3c3ac54632c5cd39ae8c9006ff9d7d05eb78f200661162e64a05f004213faaf4e10b40627b2471d71bca61bf7738bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jt8wkn8859n3d
Filesize
163KB

MD5
503e7aa394cf6b9cb16cc44655ba8a09

SHA1
c6aa479c2786e1d132754bf562a1272a54d93ac7

SHA256
b01960d09ca92e47d47f3d913d12461d145dbf25514fb81283af44e32170f56d

SHA512
9be01f3c7e9aef2e4d72d27f50cf55d41d828554012ac1e7928a276e923f789e63b176f23c703cee994254e044cc3268ba618e3492ccc518e9ef43c93ec95262

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtuklosens.exe
Filesize
65KB

MD5
08fdf623546aa3d7c3b0354501e55bd0

SHA1
857ba1a1d54067ac2588a00e4ef48615bc1b6d4c

SHA256
6c4a8c2448b2a22a9872b88dd6e6fa0421c65c9129067f2339df76cf67be394c

SHA512
7dbd6bb40884b3d4050b55a9952c6003a31fc5380739590de6720dbb0e062676b4f39ac7d337a7d51ccd2d36d25cb65e9cba1643c43ba8b5f90a0c90ab347d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtuklosens.exe
Filesize
65KB

MD5
08fdf623546aa3d7c3b0354501e55bd0

SHA1
857ba1a1d54067ac2588a00e4ef48615bc1b6d4c

SHA256
6c4a8c2448b2a22a9872b88dd6e6fa0421c65c9129067f2339df76cf67be394c

SHA512
7dbd6bb40884b3d4050b55a9952c6003a31fc5380739590de6720dbb0e062676b4f39ac7d337a7d51ccd2d36d25cb65e9cba1643c43ba8b5f90a0c90ab347d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtuklosens.exe
Filesize
65KB

MD5
08fdf623546aa3d7c3b0354501e55bd0

SHA1
857ba1a1d54067ac2588a00e4ef48615bc1b6d4c

SHA256
6c4a8c2448b2a22a9872b88dd6e6fa0421c65c9129067f2339df76cf67be394c

SHA512
7dbd6bb40884b3d4050b55a9952c6003a31fc5380739590de6720dbb0e062676b4f39ac7d337a7d51ccd2d36d25cb65e9cba1643c43ba8b5f90a0c90ab347d76

Download Submit
memory/2156-140-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2156-136-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2156-135-0x0000000000000000-mapping.dmp

Download
memory/2156-139-0x0000000000AC0000-0x0000000000E0A000-memory.dmp

Filesize
3.3MB

Download
memory/2156-141-0x00000000005D0000-0x00000000005E1000-memory.dmp

Filesize
68KB

Download
memory/2356-130-0x0000000000000000-mapping.dmp

Download
memory/2472-146-0x0000000000000000-mapping.dmp

Download
memory/3152-142-0x0000000002730000-0x0000000002893000-memory.dmp

Filesize
1.4MB

Download
memory/3152-149-0x0000000008130000-0x00000000082B2000-memory.dmp

Filesize
1.5MB

Download
memory/3664-143-0x0000000000000000-mapping.dmp

Download
memory/3664-144-0x00000000008F0000-0x0000000000947000-memory.dmp

Filesize
348KB

Download
memory/3664-145-0x00000000006F0000-0x0000000000719000-memory.dmp

Filesize
164KB

Download
memory/3664-147-0x0000000002850000-0x0000000002B9A000-memory.dmp

Filesize
3.3MB

Download
memory/3664-148-0x0000000002550000-0x00000000025E0000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads