xloader | 41752d18a6da546687259e730e12313a804b313d041631262df801ef5d092569

General

Target

virement file gfx256.exe
Size

219KB
MD5

4105db4e41a2c9399768201b068a2a8c
SHA1

d89976b120c88dc5cd57fc78a35d5474f53a34bb
SHA256

41752d18a6da546687259e730e12313a804b313d041631262df801ef5d092569
SHA512

9380a3dfa62d3baf8b41102a04104da523d3cd5e871ee955abd49230f4fa063fbc9205dad6202856a8b7edd063d44556b0ae282577590782c4a4d5dbd950a883

Score

10^/10

xloader cbgo loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cbgo

Decoy

santesha.com

britneysbeautybar.com

sh-cy17.com

jeffcarveragency.com

3117111.com

sobrehosting.net

ddm123.xyz

toxcompliance.com

auditorydesigns.com

vliftfacial.com

ielhii.com

naameliss.com

ritualchariot.com

solchange.com

quatre-vingts.design

lawnmowermashine.com

braceletsstore.net

admappy.com

tollivercoltd.com

vaidix.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3160-136-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3160-139-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3108-148-0x0000000000780000-0x00000000007A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

wtuklosens.exewtuklosens.exe

pid process

1020 wtuklosens.exe
3160 wtuklosens.exe

pid	process
1020	wtuklosens.exe
3160	wtuklosens.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

wtuklosens.exewtuklosens.exeipconfig.exe

description	pid	process	target process
PID 1020 set thread context of 3160	1020	wtuklosens.exe	wtuklosens.exe
PID 3160 set thread context of 3172	3160	wtuklosens.exe	Explorer.EXE
PID 3160 set thread context of 3172	3160	wtuklosens.exe	Explorer.EXE
PID 3108 set thread context of 3172	3108	ipconfig.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

3108 ipconfig.exe

pid	process
3108	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

wtuklosens.exeipconfig.exe

pid	process
3160	wtuklosens.exe
3160	wtuklosens.exe
3160	wtuklosens.exe
3160	wtuklosens.exe
3160	wtuklosens.exe
3160	wtuklosens.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe
3108	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3172 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

wtuklosens.exeipconfig.exe

pid process

3160 wtuklosens.exe
3160 wtuklosens.exe
3160 wtuklosens.exe
3160 wtuklosens.exe
3108 ipconfig.exe
3108 ipconfig.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wtuklosens.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 3160 wtuklosens.exe
Token: SeDebugPrivilege 3108 ipconfig.exe

pid	process
3172	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3160	wtuklosens.exe
Token: SeDebugPrivilege	3108	ipconfig.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

virement file gfx256.exewtuklosens.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 4452 wrote to memory of 1020	4452	virement file gfx256.exe	wtuklosens.exe
PID 4452 wrote to memory of 1020	4452	virement file gfx256.exe	wtuklosens.exe
PID 4452 wrote to memory of 1020	4452	virement file gfx256.exe	wtuklosens.exe
PID 1020 wrote to memory of 3160	1020	wtuklosens.exe	wtuklosens.exe
PID 1020 wrote to memory of 3160	1020	wtuklosens.exe	wtuklosens.exe
PID 1020 wrote to memory of 3160	1020	wtuklosens.exe	wtuklosens.exe
PID 1020 wrote to memory of 3160	1020	wtuklosens.exe	wtuklosens.exe
PID 1020 wrote to memory of 3160	1020	wtuklosens.exe	wtuklosens.exe
PID 1020 wrote to memory of 3160	1020	wtuklosens.exe	wtuklosens.exe
PID 3172 wrote to memory of 3108	3172	Explorer.EXE	ipconfig.exe
PID 3172 wrote to memory of 3108	3172	Explorer.EXE	ipconfig.exe
PID 3172 wrote to memory of 3108	3172	Explorer.EXE	ipconfig.exe
PID 3108 wrote to memory of 3236	3108	ipconfig.exe	cmd.exe
PID 3108 wrote to memory of 3236	3108	ipconfig.exe	cmd.exe
PID 3108 wrote to memory of 3236	3108	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3172

C:\Users\Admin\AppData\Local\Temp\virement file gfx256.exe
"C:\Users\Admin\AppData\Local\Temp\virement file gfx256.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4452

C:\Users\Admin\AppData\Local\Temp\wtuklosens.exe
C:\Users\Admin\AppData\Local\Temp\wtuklosens.exe C:\Users\Admin\AppData\Local\Temp\ixvcuspnim
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1020

C:\Users\Admin\AppData\Local\Temp\wtuklosens.exe
C:\Users\Admin\AppData\Local\Temp\wtuklosens.exe C:\Users\Admin\AppData\Local\Temp\ixvcuspnim
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1988

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2532

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2316

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2576

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\wtuklosens.exe"
3⤵
PID:3236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ixvcuspnim
Filesize
4KB

MD5
336a7e42fb23d1284b1efbd661a930df

SHA1
63340b3a24fb5577aa9d7391836786418691df0b

SHA256
a2c7b92b2e21cd1a90e14418cf3243c6ce98c81e4c5fa63220b3345dbb05485e

SHA512
b9690f304cf6d9b3634f0836e2a09d4b1b3c3ac54632c5cd39ae8c9006ff9d7d05eb78f200661162e64a05f004213faaf4e10b40627b2471d71bca61bf7738bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jt8wkn8859n3d
Filesize
163KB

MD5
503e7aa394cf6b9cb16cc44655ba8a09

SHA1
c6aa479c2786e1d132754bf562a1272a54d93ac7

SHA256
b01960d09ca92e47d47f3d913d12461d145dbf25514fb81283af44e32170f56d

SHA512
9be01f3c7e9aef2e4d72d27f50cf55d41d828554012ac1e7928a276e923f789e63b176f23c703cee994254e044cc3268ba618e3492ccc518e9ef43c93ec95262

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtuklosens.exe
Filesize
65KB

MD5
08fdf623546aa3d7c3b0354501e55bd0

SHA1
857ba1a1d54067ac2588a00e4ef48615bc1b6d4c

SHA256
6c4a8c2448b2a22a9872b88dd6e6fa0421c65c9129067f2339df76cf67be394c

SHA512
7dbd6bb40884b3d4050b55a9952c6003a31fc5380739590de6720dbb0e062676b4f39ac7d337a7d51ccd2d36d25cb65e9cba1643c43ba8b5f90a0c90ab347d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtuklosens.exe
Filesize
65KB

MD5
08fdf623546aa3d7c3b0354501e55bd0

SHA1
857ba1a1d54067ac2588a00e4ef48615bc1b6d4c

SHA256
6c4a8c2448b2a22a9872b88dd6e6fa0421c65c9129067f2339df76cf67be394c

SHA512
7dbd6bb40884b3d4050b55a9952c6003a31fc5380739590de6720dbb0e062676b4f39ac7d337a7d51ccd2d36d25cb65e9cba1643c43ba8b5f90a0c90ab347d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtuklosens.exe
Filesize
65KB

MD5
08fdf623546aa3d7c3b0354501e55bd0

SHA1
857ba1a1d54067ac2588a00e4ef48615bc1b6d4c

SHA256
6c4a8c2448b2a22a9872b88dd6e6fa0421c65c9129067f2339df76cf67be394c

SHA512
7dbd6bb40884b3d4050b55a9952c6003a31fc5380739590de6720dbb0e062676b4f39ac7d337a7d51ccd2d36d25cb65e9cba1643c43ba8b5f90a0c90ab347d76

Download Submit
memory/1020-130-0x0000000000000000-mapping.dmp

Download
memory/3108-146-0x0000000000000000-mapping.dmp

Download
memory/3108-151-0x0000000000F70000-0x0000000001000000-memory.dmp

Filesize
576KB

Download
memory/3108-150-0x0000000001210000-0x000000000155A000-memory.dmp

Filesize
3.3MB

Download
memory/3108-148-0x0000000000780000-0x00000000007A9000-memory.dmp

Filesize
164KB

Download
memory/3108-147-0x0000000000930000-0x000000000093B000-memory.dmp

Filesize
44KB

Download
memory/3160-135-0x0000000000000000-mapping.dmp

Download
memory/3160-144-0x0000000000A30000-0x0000000000A41000-memory.dmp

Filesize
68KB

Download
memory/3160-141-0x00000000005C0000-0x00000000005D1000-memory.dmp

Filesize
68KB

Download
memory/3160-140-0x0000000000A60000-0x0000000000DAA000-memory.dmp

Filesize
3.3MB

Download
memory/3160-139-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3160-136-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3172-145-0x0000000007D30000-0x0000000007E96000-memory.dmp

Filesize
1.4MB

Download
memory/3172-142-0x0000000002570000-0x0000000002655000-memory.dmp

Filesize
916KB

Download
memory/3172-152-0x0000000007EA0000-0x0000000007F59000-memory.dmp

Filesize
740KB

Download
memory/3236-149-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads