xloader | 6cfb66c75d42e49a9a8d6cbf73eb9de1c8df27848f2bf65a81b5b64743699cba

General

Target

6cfb66c75d42e49a9a8d6cbf73eb9de1c8df27848f2bf65a81b5b64743699cba.exe
Size

275KB
MD5

b5691d968eccd79d3b535e2686cb1a03
SHA1

94d44d86ce784de393323a58474224731189c19b
SHA256

6cfb66c75d42e49a9a8d6cbf73eb9de1c8df27848f2bf65a81b5b64743699cba
SHA512

fbb331868c26b6d01553b19571f7ab66d97f049ad8323168189302d6f4d20df5af6ec9528d204130e609807d796f9f081dfc4a50cd5692e38169aa9223ceb849

Score

10^/10

xloader bs8f loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

bs8f

Decoy

atmospheraglobal.com

dontshootima.com

bestofferusde.club

yourdigitalboss.com

breskizci.com

myarrovacoastwebsite.com

reasclerk.com

efrovida.com

wsmz.net

upneett.com

loefflerforgov.com

noida.info

trndystore.com

arhaldar.online

vivibanca.tech

mykrema.com

vseserialy.online

ridgewayinsua.com

heauxland.com

bestcollegecourses.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4724-136-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/4956-144-0x0000000001220000-0x0000000001249000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

tiyikk.exetiyikk.exe

pid process

3352 tiyikk.exe
4724 tiyikk.exe

pid	process
3352	tiyikk.exe
4724	tiyikk.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tiyikk.exetiyikk.execontrol.exe

description	pid	process	target process
PID 3352 set thread context of 4724	3352	tiyikk.exe	tiyikk.exe
PID 4724 set thread context of 2896	4724	tiyikk.exe	Explorer.EXE
PID 4956 set thread context of 2896	4956	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

tiyikk.execontrol.exe

pid	process
4724	tiyikk.exe
4724	tiyikk.exe
4724	tiyikk.exe
4724	tiyikk.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe
4956	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2896 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

tiyikk.execontrol.exe

pid process

4724 tiyikk.exe
4724 tiyikk.exe
4724 tiyikk.exe
4956 control.exe
4956 control.exe

pid	process
2896	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

tiyikk.execontrol.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4724	tiyikk.exe
Token: SeDebugPrivilege	4956	control.exe
Token: SeShutdownPrivilege	2896	Explorer.EXE
Token: SeCreatePagefilePrivilege	2896	Explorer.EXE
Token: SeShutdownPrivilege	2896	Explorer.EXE
Token: SeCreatePagefilePrivilege	2896	Explorer.EXE
Token: SeShutdownPrivilege	2896	Explorer.EXE
Token: SeCreatePagefilePrivilege	2896	Explorer.EXE
Token: SeShutdownPrivilege	2896	Explorer.EXE
Token: SeCreatePagefilePrivilege	2896	Explorer.EXE
Token: SeShutdownPrivilege	2896	Explorer.EXE
Token: SeCreatePagefilePrivilege	2896	Explorer.EXE
Token: SeShutdownPrivilege	2896	Explorer.EXE
Token: SeCreatePagefilePrivilege	2896	Explorer.EXE
Token: SeShutdownPrivilege	2896	Explorer.EXE
Token: SeCreatePagefilePrivilege	2896	Explorer.EXE
Token: SeShutdownPrivilege	2896	Explorer.EXE
Token: SeCreatePagefilePrivilege	2896	Explorer.EXE
Token: SeShutdownPrivilege	2896	Explorer.EXE
Token: SeCreatePagefilePrivilege	2896	Explorer.EXE
Token: SeShutdownPrivilege	2896	Explorer.EXE
Token: SeCreatePagefilePrivilege	2896	Explorer.EXE
Token: SeShutdownPrivilege	2896	Explorer.EXE
Token: SeCreatePagefilePrivilege	2896	Explorer.EXE
Token: SeShutdownPrivilege	2896	Explorer.EXE
Token: SeCreatePagefilePrivilege	2896	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

2896 Explorer.EXE
2896 Explorer.EXE

pid	process
2896	Explorer.EXE
2896	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

6cfb66c75d42e49a9a8d6cbf73eb9de1c8df27848f2bf65a81b5b64743699cba.exetiyikk.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 4716 wrote to memory of 3352	4716	6cfb66c75d42e49a9a8d6cbf73eb9de1c8df27848f2bf65a81b5b64743699cba.exe	tiyikk.exe
PID 4716 wrote to memory of 3352	4716	6cfb66c75d42e49a9a8d6cbf73eb9de1c8df27848f2bf65a81b5b64743699cba.exe	tiyikk.exe
PID 4716 wrote to memory of 3352	4716	6cfb66c75d42e49a9a8d6cbf73eb9de1c8df27848f2bf65a81b5b64743699cba.exe	tiyikk.exe
PID 3352 wrote to memory of 4724	3352	tiyikk.exe	tiyikk.exe
PID 3352 wrote to memory of 4724	3352	tiyikk.exe	tiyikk.exe
PID 3352 wrote to memory of 4724	3352	tiyikk.exe	tiyikk.exe
PID 3352 wrote to memory of 4724	3352	tiyikk.exe	tiyikk.exe
PID 3352 wrote to memory of 4724	3352	tiyikk.exe	tiyikk.exe
PID 3352 wrote to memory of 4724	3352	tiyikk.exe	tiyikk.exe
PID 2896 wrote to memory of 4956	2896	Explorer.EXE	control.exe
PID 2896 wrote to memory of 4956	2896	Explorer.EXE	control.exe
PID 2896 wrote to memory of 4956	2896	Explorer.EXE	control.exe
PID 4956 wrote to memory of 220	4956	control.exe	cmd.exe
PID 4956 wrote to memory of 220	4956	control.exe	cmd.exe
PID 4956 wrote to memory of 220	4956	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2896

C:\Users\Admin\AppData\Local\Temp\6cfb66c75d42e49a9a8d6cbf73eb9de1c8df27848f2bf65a81b5b64743699cba.exe
"C:\Users\Admin\AppData\Local\Temp\6cfb66c75d42e49a9a8d6cbf73eb9de1c8df27848f2bf65a81b5b64743699cba.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4716

C:\Users\Admin\AppData\Local\Temp\tiyikk.exe
C:\Users\Admin\AppData\Local\Temp\tiyikk.exe C:\Users\Admin\AppData\Local\Temp\qgshio
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3352

C:\Users\Admin\AppData\Local\Temp\tiyikk.exe
C:\Users\Admin\AppData\Local\Temp\tiyikk.exe C:\Users\Admin\AppData\Local\Temp\qgshio
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\tiyikk.exe"
3⤵
PID:220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7vgh4qve0cz5acu01
Filesize
163KB

MD5
07f3aff9015e5a75c2072685deb6d1d5

SHA1
b2c832c23a920017029d812e46d09d2381c334ba

SHA256
b647d2d7d5b812323f2083805eef68709e266b61c3d3a71bc9b5e95293fd1570

SHA512
00d3ef513e9be2317388f446bbcb2809d1f2912ac6fa19e4afad8c58f7581729935d4edda24837ddd01eec9599b2a3e6875013524b96dc0dbce36248abefe127

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgshio
Filesize
5KB

MD5
1fe76d811e64564c593de6cbfed7f88e

SHA1
a25d3e18096ed89c0c1359cb67e64ae78344dba6

SHA256
92611f59df9188605c9742cb4c849901b1898e8b8c28c2e96c52fe4d864d4152

SHA512
3ca4acfd5a0e485c28babff488a9164c3a201ee582e95a9f27a6a650e9cae4d49c873db2529b2cc69bdd053f1b1ae810a230c1e10b2fb239a51d19d274fabdea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiyikk.exe
Filesize
132KB

MD5
5e89cc47cfe9f83c48d114e2e6fc14c0

SHA1
1880762c1bef75a58d9e04a0f5c7ee91204de0dc

SHA256
b311ad23de2f58800c9e3dce92462335bd2df05752f658103f62a5f303e3e657

SHA512
7df13234a743aa5f3e43e696ed18da312a59864f90d4f382ef01f7ed951ef2d4a63257f40db56ebd621e91b1829517b51e0ffe69c7e26d058d9fc5557cc3c2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiyikk.exe
Filesize
132KB

MD5
5e89cc47cfe9f83c48d114e2e6fc14c0

SHA1
1880762c1bef75a58d9e04a0f5c7ee91204de0dc

SHA256
b311ad23de2f58800c9e3dce92462335bd2df05752f658103f62a5f303e3e657

SHA512
7df13234a743aa5f3e43e696ed18da312a59864f90d4f382ef01f7ed951ef2d4a63257f40db56ebd621e91b1829517b51e0ffe69c7e26d058d9fc5557cc3c2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiyikk.exe
Filesize
132KB

MD5
5e89cc47cfe9f83c48d114e2e6fc14c0

SHA1
1880762c1bef75a58d9e04a0f5c7ee91204de0dc

SHA256
b311ad23de2f58800c9e3dce92462335bd2df05752f658103f62a5f303e3e657

SHA512
7df13234a743aa5f3e43e696ed18da312a59864f90d4f382ef01f7ed951ef2d4a63257f40db56ebd621e91b1829517b51e0ffe69c7e26d058d9fc5557cc3c2ca

Download Submit
memory/220-146-0x0000000000000000-mapping.dmp

Download
memory/2896-141-0x0000000007EF0000-0x000000000801F000-memory.dmp

Filesize
1.2MB

Download
memory/2896-148-0x0000000008500000-0x0000000008652000-memory.dmp

Filesize
1.3MB

Download
memory/3352-130-0x0000000000000000-mapping.dmp

Download
memory/4724-138-0x0000000001560000-0x00000000018AA000-memory.dmp

Filesize
3.3MB

Download
memory/4724-140-0x0000000000FC0000-0x0000000000FD1000-memory.dmp

Filesize
68KB

Download
memory/4724-136-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4724-135-0x0000000000000000-mapping.dmp

Download
memory/4956-142-0x0000000000000000-mapping.dmp

Download
memory/4956-143-0x0000000000620000-0x0000000000647000-memory.dmp

Filesize
156KB

Download
memory/4956-144-0x0000000001220000-0x0000000001249000-memory.dmp

Filesize
164KB

Download
memory/4956-145-0x0000000003140000-0x000000000348A000-memory.dmp

Filesize
3.3MB

Download
memory/4956-147-0x0000000002F70000-0x0000000003000000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads