xloader | 55f9aca129149b9bfd4e9685cf1e52b394dda7b2a47a3f989e46f12e5c306907

General

Target

55f9aca129149b9bfd4e9685cf1e52b394dda7b2a47a3f989e46f12e5c306907.exe
Size

655KB
MD5

52c7af6bc13670eb0b4b830d4f60fd7b
SHA1

b6d3c5f7f912ef524dc7e2679a6e205a0fb88b13
SHA256

55f9aca129149b9bfd4e9685cf1e52b394dda7b2a47a3f989e46f12e5c306907
SHA512

6f6a0482962d39e3bd5fedf8c3db14607fc0cce81b544df5578aa8f408a18c106b58c5d8b7c8fdd5e8cafac30477a892cd3203cb452fd321d8e2397baa850bae

Score

10^/10

xloader o8g5 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

o8g5

Decoy

janeyelizarobertson.online

skachat-mp3.com

teamugoldzulu.com

qizuibashe.com

futuregainz.net

deedlife.com

findersguilde.com

memountainbikeadventures.com

carflagsmagnets.com

queenofheartsshop.com

jematai.com

adriannawilleford.com

dryfamwines.com

capitalsorted.com

runtaoyan.com

1833sell911.com

ysh9006.com

fouracrefoods.com

greenfieldjack.net

jokerjackpot888.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4692-137-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4692-142-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4848-146-0x0000000000770000-0x0000000000799000-memory.dmp	xloader
behavioral2/memory/4848-150-0x0000000000770000-0x0000000000799000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

ffgnb.exed11bbh6a.exe

pid process

3576 ffgnb.exe
4692 d11bbh6a.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ffgnb.exed11bbh6a.exeNETSTAT.EXE

description	pid	process	target process
PID 3576 set thread context of 4692	3576	ffgnb.exe	d11bbh6a.exe
PID 4692 set thread context of 2164	4692	d11bbh6a.exe	Explorer.EXE
PID 4848 set thread context of 2164	4848	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

4848 NETSTAT.EXE

pid	process
4848	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ffgnb.exed11bbh6a.exeNETSTAT.EXE

pid	process
3576	ffgnb.exe
3576	ffgnb.exe
3576	ffgnb.exe
3576	ffgnb.exe
3576	ffgnb.exe
3576	ffgnb.exe
3576	ffgnb.exe
3576	ffgnb.exe
4692	d11bbh6a.exe
4692	d11bbh6a.exe
4692	d11bbh6a.exe
4692	d11bbh6a.exe
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE
4848	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2164 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

ffgnb.exed11bbh6a.exeNETSTAT.EXE

pid process

3576 ffgnb.exe
4692 d11bbh6a.exe
4692 d11bbh6a.exe
4692 d11bbh6a.exe
4848 NETSTAT.EXE
4848 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d11bbh6a.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 4692 d11bbh6a.exe
Token: SeDebugPrivilege 4848 NETSTAT.EXE

pid	process
2164	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4692	d11bbh6a.exe
Token: SeDebugPrivilege	4848	NETSTAT.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

55f9aca129149b9bfd4e9685cf1e52b394dda7b2a47a3f989e46f12e5c306907.exeffgnb.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 4392 wrote to memory of 3576	4392	55f9aca129149b9bfd4e9685cf1e52b394dda7b2a47a3f989e46f12e5c306907.exe	ffgnb.exe
PID 4392 wrote to memory of 3576	4392	55f9aca129149b9bfd4e9685cf1e52b394dda7b2a47a3f989e46f12e5c306907.exe	ffgnb.exe
PID 4392 wrote to memory of 3576	4392	55f9aca129149b9bfd4e9685cf1e52b394dda7b2a47a3f989e46f12e5c306907.exe	ffgnb.exe
PID 3576 wrote to memory of 4692	3576	ffgnb.exe	d11bbh6a.exe
PID 3576 wrote to memory of 4692	3576	ffgnb.exe	d11bbh6a.exe
PID 3576 wrote to memory of 4692	3576	ffgnb.exe	d11bbh6a.exe
PID 3576 wrote to memory of 4692	3576	ffgnb.exe	d11bbh6a.exe
PID 2164 wrote to memory of 4848	2164	Explorer.EXE	NETSTAT.EXE
PID 2164 wrote to memory of 4848	2164	Explorer.EXE	NETSTAT.EXE
PID 2164 wrote to memory of 4848	2164	Explorer.EXE	NETSTAT.EXE
PID 4848 wrote to memory of 4900	4848	NETSTAT.EXE	cmd.exe
PID 4848 wrote to memory of 4900	4848	NETSTAT.EXE	cmd.exe
PID 4848 wrote to memory of 4900	4848	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Local\Temp\55f9aca129149b9bfd4e9685cf1e52b394dda7b2a47a3f989e46f12e5c306907.exe
"C:\Users\Admin\AppData\Local\Temp\55f9aca129149b9bfd4e9685cf1e52b394dda7b2a47a3f989e46f12e5c306907.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4392

C:\Users\Admin\AppData\Local\Temp\ffgnb.exe
C:\Users\Admin\AppData\Local\Temp\ffgnb.exe C:\Users\Admin\AppData\Local\Temp\yttpclsuz.un
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3576

C:\Users\Admin\AppData\Local\Temp\d11bbh6a.exe
C:\Users\Admin\AppData\Local\Temp\ffgnb.exe C:\Users\Admin\AppData\Local\Temp\yttpclsuz.un
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\d11bbh6a.exe"
3⤵
PID:4900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d11bbh6a.exe
Filesize
872KB

MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d11bbh6a.exe
Filesize
872KB

MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffgnb.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffgnb.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lijkyiskt.wb
Filesize
161KB

MD5
435a073304527536e8a4bd1ae42f0758

SHA1
dd0d1940a2296bd300d4616950cdeccde490fc55

SHA256
cf42f72db083c9cb43c7a079fb78285204c5049dfee5d5500ee7af21d2750560

SHA512
35404d899ecd17156bf4abd40272efd56cd973408df79c5c6e3f37da0aefeae9b80188eff28ed8dbdeb2e408922da0007461c808db892e118f15a2d27e4283a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yttpclsuz.un
Filesize
320KB

MD5
ca41cb20cdf27dc176635396d890b37a

SHA1
c0f0be5e238f5ae58fcfe48ce3293527bd446c5f

SHA256
414fa3842e5ef26c75893358286177912e5c288f7d3988fe524ff813ee90ad8f

SHA512
536e5841c351301f6774a61578bd0f57d9e91fdf5b345a1d56e1aed8f76c3dba7a63e07917de8bff9b0bdd3ca9cf9a259c1ca9902373873940143deeb29511c1

Download Submit
memory/2164-140-0x0000000002B00000-0x0000000002BB5000-memory.dmp

Filesize
724KB

Download
memory/2164-151-0x0000000002D40000-0x0000000002DF5000-memory.dmp

Filesize
724KB

Download
memory/2164-149-0x0000000002D40000-0x0000000002DF5000-memory.dmp

Filesize
724KB

Download
memory/3576-130-0x0000000000000000-mapping.dmp

Download
memory/4692-135-0x0000000000000000-mapping.dmp

Download
memory/4692-142-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4692-139-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/4692-138-0x0000000000E60000-0x00000000011AA000-memory.dmp

Filesize
3.3MB

Download
memory/4692-137-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4848-141-0x0000000000000000-mapping.dmp

Download
memory/4848-145-0x0000000000910000-0x000000000091B000-memory.dmp

Filesize
44KB

Download
memory/4848-147-0x0000000001100000-0x000000000144A000-memory.dmp

Filesize
3.3MB

Download
memory/4848-146-0x0000000000770000-0x0000000000799000-memory.dmp

Filesize
164KB

Download
memory/4848-148-0x0000000001010000-0x000000000109F000-memory.dmp

Filesize
572KB

Download
memory/4848-150-0x0000000000770000-0x0000000000799000-memory.dmp

Filesize
164KB

Download
memory/4900-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads