xloader | ffbd8cb5a8779c934324bbee870d6b1d7549d4c6eb358cd67b923aa8a5b21a36

General

Target

ffbd8cb5a8779c934324bbee870d6b1d7549d4c6eb358cd67b923aa8a5b21a36.exe
Size

469KB
MD5

6b216b6cc15be9968b6c6eef5fa8591a
SHA1

95a56eb69683dfb5ef9710cc4ddf28c3d2f6ac85
SHA256

ffbd8cb5a8779c934324bbee870d6b1d7549d4c6eb358cd67b923aa8a5b21a36
SHA512

598f4601addb24e457069731aaa2c35092c607a83de7c828eb0ebec983094b6a2f881e16ad7dfaf8289aaf81c20931edcbc6700cd9ebfe634a597528795e1623

Score

10^/10

xloader quc5 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

quc5

Decoy

writerpilotpublishing.com

journeywands.com

madacambo.com

boreslirealestate.com

drillshear.com

urbanmastic.com

focalbunk.com

ghpgroupinc.xyz

rfgmhnvf.com

241mk.com

mandolinzen.com

thenorthstarbets.com

oggperformancehorses.com

webuywholesalerhouses.com

cinreyyy.com

theyoungwedding.com

neuro-ai-web-ru.digital

zavienniky.xyz

kin-school.com

lowratepersonalloans.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4412-122-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/4412-123-0x000000000041D470-mapping.dmp	xloader
behavioral1/memory/4412-126-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/4412-128-0x0000000000950000-0x0000000000AE5000-memory.dmp	xloader
behavioral1/memory/4476-133-0x0000000000340000-0x0000000000369000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

skabtxc.exeskabtxc.exe

pid process

1832 skabtxc.exe
4412 skabtxc.exe

pid	process
1832	skabtxc.exe
4412	skabtxc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

skabtxc.exeskabtxc.exesystray.exe

description	pid	process	target process
PID 1832 set thread context of 4412	1832	skabtxc.exe	skabtxc.exe
PID 4412 set thread context of 3112	4412	skabtxc.exe	Explorer.EXE
PID 4476 set thread context of 3112	4476	systray.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

skabtxc.exesystray.exe

pid	process
4412	skabtxc.exe
4412	skabtxc.exe
4412	skabtxc.exe
4412	skabtxc.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe
4476	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3112 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

skabtxc.exesystray.exe

pid process

4412 skabtxc.exe
4412 skabtxc.exe
4412 skabtxc.exe
4476 systray.exe
4476 systray.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

skabtxc.exesystray.exe

description pid process

Token: SeDebugPrivilege 4412 skabtxc.exe
Token: SeDebugPrivilege 4476 systray.exe

pid	process
3112	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4412	skabtxc.exe
Token: SeDebugPrivilege	4476	systray.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

ffbd8cb5a8779c934324bbee870d6b1d7549d4c6eb358cd67b923aa8a5b21a36.exeskabtxc.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 3932 wrote to memory of 1832	3932	ffbd8cb5a8779c934324bbee870d6b1d7549d4c6eb358cd67b923aa8a5b21a36.exe	skabtxc.exe
PID 3932 wrote to memory of 1832	3932	ffbd8cb5a8779c934324bbee870d6b1d7549d4c6eb358cd67b923aa8a5b21a36.exe	skabtxc.exe
PID 3932 wrote to memory of 1832	3932	ffbd8cb5a8779c934324bbee870d6b1d7549d4c6eb358cd67b923aa8a5b21a36.exe	skabtxc.exe
PID 1832 wrote to memory of 4412	1832	skabtxc.exe	skabtxc.exe
PID 1832 wrote to memory of 4412	1832	skabtxc.exe	skabtxc.exe
PID 1832 wrote to memory of 4412	1832	skabtxc.exe	skabtxc.exe
PID 1832 wrote to memory of 4412	1832	skabtxc.exe	skabtxc.exe
PID 1832 wrote to memory of 4412	1832	skabtxc.exe	skabtxc.exe
PID 1832 wrote to memory of 4412	1832	skabtxc.exe	skabtxc.exe
PID 3112 wrote to memory of 4476	3112	Explorer.EXE	systray.exe
PID 3112 wrote to memory of 4476	3112	Explorer.EXE	systray.exe
PID 3112 wrote to memory of 4476	3112	Explorer.EXE	systray.exe
PID 4476 wrote to memory of 2184	4476	systray.exe	cmd.exe
PID 4476 wrote to memory of 2184	4476	systray.exe	cmd.exe
PID 4476 wrote to memory of 2184	4476	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3112

C:\Users\Admin\AppData\Local\Temp\ffbd8cb5a8779c934324bbee870d6b1d7549d4c6eb358cd67b923aa8a5b21a36.exe
"C:\Users\Admin\AppData\Local\Temp\ffbd8cb5a8779c934324bbee870d6b1d7549d4c6eb358cd67b923aa8a5b21a36.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Local\Temp\skabtxc.exe
C:\Users\Admin\AppData\Local\Temp\skabtxc.exe C:\Users\Admin\AppData\Local\Temp\strxl
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\skabtxc.exe
C:\Users\Admin\AppData\Local\Temp\skabtxc.exe C:\Users\Admin\AppData\Local\Temp\strxl
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:4480

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2500

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2592

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2600

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2540

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\skabtxc.exe"
3⤵
PID:2184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avcwzbzslwxa8uak3n
Filesize
163KB

MD5
e1fb834bd21b9087f6620bccf117f359

SHA1
d5730c6f1a001a98e180f32955d316dee3e57a94

SHA256
9173cc39a1c259fd7169293dcabb78b227274afa80b4a52a9bcef5991da320d0

SHA512
50f8893b1e0486a3e3c4a774aa44b2ce13fc362aba7c1afee0917042ec4abeeef69c2009f9ae4f66c48b0d19ad17e3940321321a557474e763d641e4d9276285

Download Submit
C:\Users\Admin\AppData\Local\Temp\skabtxc.exe
Filesize
75KB

MD5
b989f6a6b28a9eacf287fbf4d9ad03a4

SHA1
19bfc4029267d0c4edf8c793a0a9608b5d10739b

SHA256
9cf07873fd6703389c3805db3cdd1432eebd94f60afd4be7d82755f43761d25c

SHA512
eae3490d9052f72465471bf5e5b47dee6ff0869655224ce9b123abd8875b5dcb18b077632decf66d980417113c6928aa97a761f6ae4bdba74b7233e482b60e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\skabtxc.exe
Filesize
75KB

MD5
b989f6a6b28a9eacf287fbf4d9ad03a4

SHA1
19bfc4029267d0c4edf8c793a0a9608b5d10739b

SHA256
9cf07873fd6703389c3805db3cdd1432eebd94f60afd4be7d82755f43761d25c

SHA512
eae3490d9052f72465471bf5e5b47dee6ff0869655224ce9b123abd8875b5dcb18b077632decf66d980417113c6928aa97a761f6ae4bdba74b7233e482b60e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\skabtxc.exe
Filesize
75KB

MD5
b989f6a6b28a9eacf287fbf4d9ad03a4

SHA1
19bfc4029267d0c4edf8c793a0a9608b5d10739b

SHA256
9cf07873fd6703389c3805db3cdd1432eebd94f60afd4be7d82755f43761d25c

SHA512
eae3490d9052f72465471bf5e5b47dee6ff0869655224ce9b123abd8875b5dcb18b077632decf66d980417113c6928aa97a761f6ae4bdba74b7233e482b60e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\strxl
Filesize
4KB

MD5
bf437e690ce35798e95c6ac6722d6f4c

SHA1
61da3d2ec2a968c6d6d8c4180fc74c4249828c33

SHA256
637889e039308962927ce703b1094be8d6b5d332a115d4ae6704abd8fc08040b

SHA512
82a47234cbec17090c6caa13ca07c483e90f39b311e41466698a24608c935935846b445dea0a347bfdaa987acb7490c37b7f258b34443c2e4ac06d9f331ca0fb

Download Submit
memory/1832-117-0x0000000000000000-mapping.dmp

Download
memory/2184-131-0x0000000000000000-mapping.dmp

Download
memory/3112-129-0x0000000002FA0000-0x0000000003090000-memory.dmp

Filesize
960KB

Download
memory/3112-136-0x0000000006720000-0x000000000683F000-memory.dmp

Filesize
1.1MB

Download
memory/4412-126-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4412-128-0x0000000000950000-0x0000000000AE5000-memory.dmp

Filesize
1.6MB

Download
memory/4412-127-0x0000000000AF0000-0x0000000000E10000-memory.dmp

Filesize
3.1MB

Download
memory/4412-123-0x000000000041D470-mapping.dmp

Download
memory/4412-122-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4476-130-0x0000000000000000-mapping.dmp

Download
memory/4476-132-0x0000000000B20000-0x0000000000B26000-memory.dmp

Filesize
24KB

Download
memory/4476-134-0x0000000004510000-0x0000000004830000-memory.dmp

Filesize
3.1MB

Download
memory/4476-133-0x0000000000340000-0x0000000000369000-memory.dmp

Filesize
164KB

Download
memory/4476-135-0x00000000041D0000-0x0000000004361000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads