xloader | 25148c38c34edf03d8c2610e75188f9223421978e0a73eec5c8a303ca1280d07

General

Target

tmp.exe
Size

193KB
MD5

4ef1cf561792490cfc119a6f4b9433cc
SHA1

6c7cfb9a79edeba7859088ca1a1f9da6d236facb
SHA256

25148c38c34edf03d8c2610e75188f9223421978e0a73eec5c8a303ca1280d07
SHA512

ba4d5b504491e9ed078b51235c3f1a6af7ff769a70ff6127297a03c299a6fe8f7ea1bdea158ff2624d2e9949125a3802255350e748ee263befc9e820e9530813

Score

10^/10

xloader bs8f loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

bs8f

Decoy

atmospheraglobal.com

dontshootima.com

bestofferusde.club

yourdigitalboss.com

breskizci.com

myarrovacoastwebsite.com

reasclerk.com

efrovida.com

wsmz.net

upneett.com

loefflerforgov.com

noida.info

trndystore.com

arhaldar.online

vivibanca.tech

mykrema.com

vseserialy.online

ridgewayinsua.com

heauxland.com

bestcollegecourses.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4576-136-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4544-145-0x0000000000580000-0x00000000005A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

lilaxqbb.exelilaxqbb.exe

pid process

2588 lilaxqbb.exe
4576 lilaxqbb.exe

pid	process
2588	lilaxqbb.exe
4576	lilaxqbb.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

lilaxqbb.exelilaxqbb.exemstsc.exe

description	pid	process	target process
PID 2588 set thread context of 4576	2588	lilaxqbb.exe	lilaxqbb.exe
PID 4576 set thread context of 1060	4576	lilaxqbb.exe	Explorer.EXE
PID 4544 set thread context of 1060	4544	mstsc.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

lilaxqbb.exemstsc.exe

pid	process
4576	lilaxqbb.exe
4576	lilaxqbb.exe
4576	lilaxqbb.exe
4576	lilaxqbb.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe
4544	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1060 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

lilaxqbb.exemstsc.exe

pid process

4576 lilaxqbb.exe
4576 lilaxqbb.exe
4576 lilaxqbb.exe
4544 mstsc.exe
4544 mstsc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

lilaxqbb.exemstsc.exe

description pid process

Token: SeDebugPrivilege 4576 lilaxqbb.exe
Token: SeDebugPrivilege 4544 mstsc.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1060 Explorer.EXE
1060 Explorer.EXE

pid	process
1060	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4576	lilaxqbb.exe
Token: SeDebugPrivilege	4544	mstsc.exe

pid	process
1060	Explorer.EXE
1060	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

tmp.exelilaxqbb.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 4460 wrote to memory of 2588	4460	tmp.exe	lilaxqbb.exe
PID 4460 wrote to memory of 2588	4460	tmp.exe	lilaxqbb.exe
PID 4460 wrote to memory of 2588	4460	tmp.exe	lilaxqbb.exe
PID 2588 wrote to memory of 4576	2588	lilaxqbb.exe	lilaxqbb.exe
PID 2588 wrote to memory of 4576	2588	lilaxqbb.exe	lilaxqbb.exe
PID 2588 wrote to memory of 4576	2588	lilaxqbb.exe	lilaxqbb.exe
PID 2588 wrote to memory of 4576	2588	lilaxqbb.exe	lilaxqbb.exe
PID 2588 wrote to memory of 4576	2588	lilaxqbb.exe	lilaxqbb.exe
PID 2588 wrote to memory of 4576	2588	lilaxqbb.exe	lilaxqbb.exe
PID 1060 wrote to memory of 4544	1060	Explorer.EXE	mstsc.exe
PID 1060 wrote to memory of 4544	1060	Explorer.EXE	mstsc.exe
PID 1060 wrote to memory of 4544	1060	Explorer.EXE	mstsc.exe
PID 4544 wrote to memory of 1344	4544	mstsc.exe	cmd.exe
PID 4544 wrote to memory of 1344	4544	mstsc.exe	cmd.exe
PID 4544 wrote to memory of 1344	4544	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4460

C:\Users\Admin\AppData\Local\Temp\lilaxqbb.exe
C:\Users\Admin\AppData\Local\Temp\lilaxqbb.exe C:\Users\Admin\AppData\Local\Temp\qwzjl
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2588

C:\Users\Admin\AppData\Local\Temp\lilaxqbb.exe
C:\Users\Admin\AppData\Local\Temp\lilaxqbb.exe C:\Users\Admin\AppData\Local\Temp\qwzjl
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\lilaxqbb.exe"
3⤵
PID:1344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lilaxqbb.exe
Filesize
6KB

MD5
cea873373b350445440e7333d45a2735

SHA1
4ee5af4ce6b5cb191cbc2880a7b8259287b92b5d

SHA256
d2b2d63ba5a80cf8bda26906d44f868d0a36f5e62f5fc5f8009ccc7c1cb20f79

SHA512
fa4e11fdd7c4d816413ee63e464210cec74ae871ed5ccbaebb0003be37b90ac0934eb6840e8e5d6098661e6df7c552c7e7e0aaebf302fcbc847070dfdf7a3c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lilaxqbb.exe
Filesize
6KB

MD5
cea873373b350445440e7333d45a2735

SHA1
4ee5af4ce6b5cb191cbc2880a7b8259287b92b5d

SHA256
d2b2d63ba5a80cf8bda26906d44f868d0a36f5e62f5fc5f8009ccc7c1cb20f79

SHA512
fa4e11fdd7c4d816413ee63e464210cec74ae871ed5ccbaebb0003be37b90ac0934eb6840e8e5d6098661e6df7c552c7e7e0aaebf302fcbc847070dfdf7a3c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lilaxqbb.exe
Filesize
6KB

MD5
cea873373b350445440e7333d45a2735

SHA1
4ee5af4ce6b5cb191cbc2880a7b8259287b92b5d

SHA256
d2b2d63ba5a80cf8bda26906d44f868d0a36f5e62f5fc5f8009ccc7c1cb20f79

SHA512
fa4e11fdd7c4d816413ee63e464210cec74ae871ed5ccbaebb0003be37b90ac0934eb6840e8e5d6098661e6df7c552c7e7e0aaebf302fcbc847070dfdf7a3c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwzjl
Filesize
4KB

MD5
ad85e1abe255b453282baaf817b34bba

SHA1
f2f40b78535012f337ec9f5983276f24c113d0a7

SHA256
5b3e0f559d470993d2fce051bc09aa813f37c700da400491644a6ef5461ac0e9

SHA512
375728e3eac5b19c105633012c3a0085d114c6afbbc7a8ad2c57df3f29addf2a7b37a83be5ada408f9fd0cd81c16864bb1304d1be5b5ac912f3847149515a456

Download Submit
C:\Users\Admin\AppData\Local\Temp\scijh7u2xhl2xtr17r
Filesize
163KB

MD5
dafb005f8fd0eef3d0c507a92401a547

SHA1
3688605f1c694b693c6e6cca6701feb3f7047ff6

SHA256
b29edd425a3f3cf35ff5d21fda608732929b714e4b23f63f51df2bc2298bc659

SHA512
dbed72bdf6cdb812bba4c7b13ba1fbacfcae5b696758febfc2305d9fcf6bf207f374afbb433f38ab7d11ac010c62e804cfe0d4df173590e9fc4a1d3d6eb4d091

Download Submit
memory/1060-148-0x0000000002760000-0x000000000284D000-memory.dmp

Filesize
948KB

Download
memory/1060-141-0x0000000008360000-0x0000000008500000-memory.dmp

Filesize
1.6MB

Download
memory/1344-143-0x0000000000000000-mapping.dmp

Download
memory/2588-130-0x0000000000000000-mapping.dmp

Download
memory/4544-142-0x0000000000000000-mapping.dmp

Download
memory/4544-144-0x0000000000710000-0x000000000084A000-memory.dmp

Filesize
1.2MB

Download
memory/4544-145-0x0000000000580000-0x00000000005A9000-memory.dmp

Filesize
164KB

Download
memory/4544-146-0x0000000002910000-0x0000000002C5A000-memory.dmp

Filesize
3.3MB

Download
memory/4544-147-0x00000000026B0000-0x0000000002740000-memory.dmp

Filesize
576KB

Download
memory/4576-139-0x00000000009F0000-0x0000000000D3A000-memory.dmp

Filesize
3.3MB

Download
memory/4576-140-0x00000000006D0000-0x00000000006E1000-memory.dmp

Filesize
68KB

Download
memory/4576-136-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4576-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads