xloader | 2affbb57b10032083dc1fe15a3c1ff1a2aa0b59f74b4ac6d094e94db6a650faa

General

Target

Product_Order#250422.exe
Size

257KB
MD5

265de87c891fc42f378339b4ce0406f5
SHA1

76dee4e7e7c2f22da904b6629880c3f89dca8fed
SHA256

2affbb57b10032083dc1fe15a3c1ff1a2aa0b59f74b4ac6d094e94db6a650faa
SHA512

ca3e0a56c00928958f406ea5841b8c3f21076cd57e31c1818f8801addb7d0436aaf75bc3ae75f0a859fd7601b8dd8569ee658892bff00124324bc76b1a327f4f

Score

10^/10

xloader dx3n loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dx3n

Decoy

polebear.xyz

luciamoca.com

185451.com

bookfriendspodcast.net

reliancetechsolutions.com

wuzuiso.com

ig-representative.com

ryotaohno.com

wlnhcl.com

oasispoolth.com

fo71.com

storyandidentity.com

sayarpro.com

arrow-electronics-corps.net

brasbux.com

nigeriaafricasummit.com

choud.store

medicareopenenrollment.info

amlhcz.com

fdklflkdioerklfdke.store

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1020-63-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1020-64-0x000000000041D4C0-mapping.dmp	xloader
behavioral1/memory/1020-70-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/600-76-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

aueycsx.exeaueycsx.exe

pid process

2000 aueycsx.exe
1020 aueycsx.exe
Loads dropped DLL 2 IoCs

Processes:

Product_Order#250422.exeaueycsx.exe

pid process

2040 Product_Order#250422.exe
2000 aueycsx.exe

pid	process
2000	aueycsx.exe
1020	aueycsx.exe

pid	process
2040	Product_Order#250422.exe
2000	aueycsx.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

aueycsx.exeaueycsx.exehelp.exe

description	pid	process	target process
PID 2000 set thread context of 1020	2000	aueycsx.exe	aueycsx.exe
PID 1020 set thread context of 1248	1020	aueycsx.exe	Explorer.EXE
PID 1020 set thread context of 1248	1020	aueycsx.exe	Explorer.EXE
PID 600 set thread context of 1248	600	help.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

aueycsx.exehelp.exe

pid	process
1020	aueycsx.exe
1020	aueycsx.exe
1020	aueycsx.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe
600	help.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

aueycsx.exehelp.exe

pid process

1020 aueycsx.exe
1020 aueycsx.exe
1020 aueycsx.exe
1020 aueycsx.exe
600 help.exe
600 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

aueycsx.exehelp.exe

description pid process

Token: SeDebugPrivilege 1020 aueycsx.exe
Token: SeDebugPrivilege 600 help.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1020	aueycsx.exe
Token: SeDebugPrivilege	600	help.exe

pid	process
1248	Explorer.EXE
1248	Explorer.EXE

pid	process
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Product_Order#250422.exeaueycsx.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 2040 wrote to memory of 2000	2040	Product_Order#250422.exe	aueycsx.exe
PID 2040 wrote to memory of 2000	2040	Product_Order#250422.exe	aueycsx.exe
PID 2040 wrote to memory of 2000	2040	Product_Order#250422.exe	aueycsx.exe
PID 2040 wrote to memory of 2000	2040	Product_Order#250422.exe	aueycsx.exe
PID 2000 wrote to memory of 1020	2000	aueycsx.exe	aueycsx.exe
PID 2000 wrote to memory of 1020	2000	aueycsx.exe	aueycsx.exe
PID 2000 wrote to memory of 1020	2000	aueycsx.exe	aueycsx.exe
PID 2000 wrote to memory of 1020	2000	aueycsx.exe	aueycsx.exe
PID 2000 wrote to memory of 1020	2000	aueycsx.exe	aueycsx.exe
PID 2000 wrote to memory of 1020	2000	aueycsx.exe	aueycsx.exe
PID 2000 wrote to memory of 1020	2000	aueycsx.exe	aueycsx.exe
PID 1248 wrote to memory of 600	1248	Explorer.EXE	help.exe
PID 1248 wrote to memory of 600	1248	Explorer.EXE	help.exe
PID 1248 wrote to memory of 600	1248	Explorer.EXE	help.exe
PID 1248 wrote to memory of 600	1248	Explorer.EXE	help.exe
PID 600 wrote to memory of 1400	600	help.exe	cmd.exe
PID 600 wrote to memory of 1400	600	help.exe	cmd.exe
PID 600 wrote to memory of 1400	600	help.exe	cmd.exe
PID 600 wrote to memory of 1400	600	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\Product_Order#250422.exe
"C:\Users\Admin\AppData\Local\Temp\Product_Order#250422.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\aueycsx.exe
C:\Users\Admin\AppData\Local\Temp\aueycsx.exe C:\Users\Admin\AppData\Local\Temp\kfupp
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\aueycsx.exe
C:\Users\Admin\AppData\Local\Temp\aueycsx.exe C:\Users\Admin\AppData\Local\Temp\kfupp
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\aueycsx.exe"
3⤵
PID:1400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2l0ehdjchxpnymplfk
Filesize
163KB

MD5
6a9be40e3e90d64d41bb5bf5ab045047

SHA1
5b46d8d3f0b1b3c3fb1674d741b42e5cee316bff

SHA256
06e5128d97870d0c68f6b4c384108b0276fcbc47e1d38456a2f1577769165f7d

SHA512
985452bdbe94300017e8cbf35ca1bcaa27016217027bb3a6c1c0ae237d394036949fc4d6afe785255a87ce483ebb75a7ee0d412f041c1de1c842b800108a874e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aueycsx.exe
Filesize
3KB

MD5
4447ceaa26383801955378fb5831ee91

SHA1
ab3c4d769e9125203ce3dbf7e35e76318c2ce3a4

SHA256
3a9b3e044e408c91a6b274d11bb7ec8913aa04b9efa290a899cbf37bed39e930

SHA512
1fcc1a10127946c55ccbb314c52edb1b88c45ea99d367ef8bcd98a44005d5ca0495c54e451b1607d29e751592475682982577d492117b513e4ad090f2be42e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\aueycsx.exe
Filesize
3KB

MD5
4447ceaa26383801955378fb5831ee91

SHA1
ab3c4d769e9125203ce3dbf7e35e76318c2ce3a4

SHA256
3a9b3e044e408c91a6b274d11bb7ec8913aa04b9efa290a899cbf37bed39e930

SHA512
1fcc1a10127946c55ccbb314c52edb1b88c45ea99d367ef8bcd98a44005d5ca0495c54e451b1607d29e751592475682982577d492117b513e4ad090f2be42e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\aueycsx.exe
Filesize
3KB

MD5
4447ceaa26383801955378fb5831ee91

SHA1
ab3c4d769e9125203ce3dbf7e35e76318c2ce3a4

SHA256
3a9b3e044e408c91a6b274d11bb7ec8913aa04b9efa290a899cbf37bed39e930

SHA512
1fcc1a10127946c55ccbb314c52edb1b88c45ea99d367ef8bcd98a44005d5ca0495c54e451b1607d29e751592475682982577d492117b513e4ad090f2be42e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\kfupp
Filesize
4KB

MD5
5a873257abf1da214b790721f619fe0d

SHA1
80d4635dac8fc7e2b72039bc3a154ef3ed831647

SHA256
323f1d55732df50c290ae1fab18f949fce0b0431fe614ff575582afefc389ea7

SHA512
0c04e0fa15eb17d8f310a78b3f171d0a5eb8bed33caec8490de1f4b322ca18f857c11a24033074fc5c3a973ad680d538343c6347f6182dbc29df250c6b3af8ab

Download Submit
\Users\Admin\AppData\Local\Temp\aueycsx.exe
Filesize
3KB

MD5
4447ceaa26383801955378fb5831ee91

SHA1
ab3c4d769e9125203ce3dbf7e35e76318c2ce3a4

SHA256
3a9b3e044e408c91a6b274d11bb7ec8913aa04b9efa290a899cbf37bed39e930

SHA512
1fcc1a10127946c55ccbb314c52edb1b88c45ea99d367ef8bcd98a44005d5ca0495c54e451b1607d29e751592475682982577d492117b513e4ad090f2be42e50

Download Submit
\Users\Admin\AppData\Local\Temp\aueycsx.exe
Filesize
3KB

MD5
4447ceaa26383801955378fb5831ee91

SHA1
ab3c4d769e9125203ce3dbf7e35e76318c2ce3a4

SHA256
3a9b3e044e408c91a6b274d11bb7ec8913aa04b9efa290a899cbf37bed39e930

SHA512
1fcc1a10127946c55ccbb314c52edb1b88c45ea99d367ef8bcd98a44005d5ca0495c54e451b1607d29e751592475682982577d492117b513e4ad090f2be42e50

Download Submit
memory/600-73-0x0000000000000000-mapping.dmp

Download
memory/600-78-0x0000000000600000-0x0000000000690000-memory.dmp

Filesize
576KB

Download
memory/600-77-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/600-76-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/600-75-0x0000000000D30000-0x0000000000D36000-memory.dmp

Filesize
24KB

Download
memory/1020-68-0x0000000000350000-0x0000000000361000-memory.dmp

Filesize
68KB

Download
memory/1020-70-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1020-71-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/1020-66-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/1020-64-0x000000000041D4C0-mapping.dmp

Download
memory/1020-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1248-69-0x00000000060E0000-0x00000000061D2000-memory.dmp

Filesize
968KB

Download
memory/1248-72-0x0000000006360000-0x000000000646D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-79-0x0000000004A00000-0x0000000004AA3000-memory.dmp

Filesize
652KB

Download
memory/1400-74-0x0000000000000000-mapping.dmp

Download
memory/2000-56-0x0000000000000000-mapping.dmp

Download
memory/2040-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads