xloader | 1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342

General

Target

1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342.exe
Size

204KB
MD5

9c40dfd68039060b4349a2222783b9a5
SHA1

26fd3e9ab2553b20259933ec4448ea1638f12399
SHA256

1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342
SHA512

f19eca17bf73a7c26f4b6445135ac884ca353301f7591d05e2fb96205320ecbda94f2455f225ca94aba0b39c4a67ed925495757e75f58b4c40a72c200952db92
SSDEEP

3072:5f1BDZ0kVB67Duw9AMcobKRWyOjMi7UdJixOTWY9SyjD0kyWpQMhRR5WxJenaE6J:59X0GiYOz7USxOTDSyjD0kTn8CnWJ

Score

10^/10

xloader gh6n loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

gh6n

Decoy

cpschoolsschoology.com

thestocksforum.com

pixiewish.com

sopressd.com

muktokontha.com

tiejiabang.net

fdo.technology

kuringnl.com

barbarapastor.com

21stcenturytrading.com

digiwarung.com

canvafynyc.com

forfaitinghouse.com

3704368.com

mymonwero.com

ponpow.com

fringe.golf

heartfeltindonesia.com

defensivedrivercpc.com

allaboutgt.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/972-68-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/972-74-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/808-76-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader
behavioral1/memory/808-81-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

o43aakn2vb3m.exeo43aakn2vb3m.exe

pid process

1068 o43aakn2vb3m.exe
972 o43aakn2vb3m.exe
Loads dropped DLL 3 IoCs

Processes:

1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342.exeo43aakn2vb3m.exe

pid process

1228 1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342.exe
1068 o43aakn2vb3m.exe
1068 o43aakn2vb3m.exe

pid	process
1228	1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342.exe
1068	o43aakn2vb3m.exe
1068	o43aakn2vb3m.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

o43aakn2vb3m.exeo43aakn2vb3m.exewlanext.exe

description	pid	process	target process
PID 1068 set thread context of 972	1068	o43aakn2vb3m.exe	o43aakn2vb3m.exe
PID 972 set thread context of 1268	972	o43aakn2vb3m.exe	Explorer.EXE
PID 972 set thread context of 1268	972	o43aakn2vb3m.exe	Explorer.EXE
PID 808 set thread context of 1268	808	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

o43aakn2vb3m.exeo43aakn2vb3m.exewlanext.exe

pid	process
1068	o43aakn2vb3m.exe
1068	o43aakn2vb3m.exe
1068	o43aakn2vb3m.exe
1068	o43aakn2vb3m.exe
972	o43aakn2vb3m.exe
972	o43aakn2vb3m.exe
972	o43aakn2vb3m.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe
808	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

o43aakn2vb3m.exeo43aakn2vb3m.exewlanext.exe

pid process

1068 o43aakn2vb3m.exe
972 o43aakn2vb3m.exe
972 o43aakn2vb3m.exe
972 o43aakn2vb3m.exe
972 o43aakn2vb3m.exe
808 wlanext.exe
808 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

o43aakn2vb3m.exewlanext.exe

description pid process

Token: SeDebugPrivilege 972 o43aakn2vb3m.exe
Token: SeDebugPrivilege 808 wlanext.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE

pid	process
1268	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	972	o43aakn2vb3m.exe
Token: SeDebugPrivilege	808	wlanext.exe

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342.exeo43aakn2vb3m.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 1228 wrote to memory of 1068	1228	1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342.exe	o43aakn2vb3m.exe
PID 1228 wrote to memory of 1068	1228	1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342.exe	o43aakn2vb3m.exe
PID 1228 wrote to memory of 1068	1228	1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342.exe	o43aakn2vb3m.exe
PID 1228 wrote to memory of 1068	1228	1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342.exe	o43aakn2vb3m.exe
PID 1068 wrote to memory of 972	1068	o43aakn2vb3m.exe	o43aakn2vb3m.exe
PID 1068 wrote to memory of 972	1068	o43aakn2vb3m.exe	o43aakn2vb3m.exe
PID 1068 wrote to memory of 972	1068	o43aakn2vb3m.exe	o43aakn2vb3m.exe
PID 1068 wrote to memory of 972	1068	o43aakn2vb3m.exe	o43aakn2vb3m.exe
PID 1068 wrote to memory of 972	1068	o43aakn2vb3m.exe	o43aakn2vb3m.exe
PID 1268 wrote to memory of 808	1268	Explorer.EXE	wlanext.exe
PID 1268 wrote to memory of 808	1268	Explorer.EXE	wlanext.exe
PID 1268 wrote to memory of 808	1268	Explorer.EXE	wlanext.exe
PID 1268 wrote to memory of 808	1268	Explorer.EXE	wlanext.exe
PID 808 wrote to memory of 1520	808	wlanext.exe	cmd.exe
PID 808 wrote to memory of 1520	808	wlanext.exe	cmd.exe
PID 808 wrote to memory of 1520	808	wlanext.exe	cmd.exe
PID 808 wrote to memory of 1520	808	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342.exe
"C:\Users\Admin\AppData\Local\Temp\1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\o43aakn2vb3m.exe
"C:\Users\Admin\AppData\Local\Temp\o43aakn2vb3m.exe" "C:\Users\Admin\AppData\Local\Temp\mofocjpxzdblgw.dll" "C:\Users\Admin\AppData\Local\Temp\rotgq.o"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\AppData\Local\Temp\o43aakn2vb3m.exe
"C:\Users\Admin\AppData\Local\Temp\o43aakn2vb3m.exe" "C:\Users\Admin\AppData\Local\Temp\mofocjpxzdblgw.dll" "C:\Users\Admin\AppData\Local\Temp\rotgq.o"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:268

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:472

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:636

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1468

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1336

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:584

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:692

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1640

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1464

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1912

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1400

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1416

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:588

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1212

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:608

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\o43aakn2vb3m.exe"
3⤵
PID:1520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mofocjpxzdblgw.dll
Filesize
11KB

MD5
4efa23b13d5d80fd063819039a4a8b3b

SHA1
e07b7d940e7bd0bdac65fec47d11f4b5b4db8140

SHA256
b4d85e03c06be1837f6ae79c2df1a4f6298b8d27b43c1739ec9e22ec9be56527

SHA512
545c0b8773cf57be074ed746b5da6998f19d83bdccf7d6cf6db04c89aa1d6ca7f11101511acdd52c6b2d002cfc46294dae66173e03ffce7a9e2956f241e4439a

Download Submit
C:\Users\Admin\AppData\Local\Temp\o43aakn2vb3m.exe
Filesize
3KB

MD5
6e5fb0605b1892923f0b9b3e50ef3864

SHA1
debe08f907a78a3c456615cff9be9373c4c0ce4a

SHA256
9ddc194e4882af2ff89785f61aab485ead07b3fd11ade8987b190d4967bf1161

SHA512
e8d6b536bc7843b3a1a57882c495d179b5a2cb346e836738e8a018163837683cb8b485fd098b56a9fdf81e0db5467f6fddb41011710c2d119ee2fe3d267b8ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\o43aakn2vb3m.exe
Filesize
3KB

MD5
6e5fb0605b1892923f0b9b3e50ef3864

SHA1
debe08f907a78a3c456615cff9be9373c4c0ce4a

SHA256
9ddc194e4882af2ff89785f61aab485ead07b3fd11ade8987b190d4967bf1161

SHA512
e8d6b536bc7843b3a1a57882c495d179b5a2cb346e836738e8a018163837683cb8b485fd098b56a9fdf81e0db5467f6fddb41011710c2d119ee2fe3d267b8ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\o43aakn2vb3m.exe
Filesize
3KB

MD5
6e5fb0605b1892923f0b9b3e50ef3864

SHA1
debe08f907a78a3c456615cff9be9373c4c0ce4a

SHA256
9ddc194e4882af2ff89785f61aab485ead07b3fd11ade8987b190d4967bf1161

SHA512
e8d6b536bc7843b3a1a57882c495d179b5a2cb346e836738e8a018163837683cb8b485fd098b56a9fdf81e0db5467f6fddb41011710c2d119ee2fe3d267b8ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rotgq.o
Filesize
160KB

MD5
39e326f7f896f0c1695c21d55a1d4cf8

SHA1
d8b1726aed81a8c8728d52bd57c5c6034d571249

SHA256
297c749e4315ea16e6146c9e9fc214cad571009c78f411e496e96cf792529661

SHA512
65e5be7a6f8b9728efe5d0ef3301a1a17d76b9df6e16c041ff3755fcafecce5b4437f59ccf57c68fa5005a46ce1ae2aa9dacb479a282a058b57a70adc9f7fafb

Download Submit
\Users\Admin\AppData\Local\Temp\mofocjpxzdblgw.dll
Filesize
11KB

MD5
4efa23b13d5d80fd063819039a4a8b3b

SHA1
e07b7d940e7bd0bdac65fec47d11f4b5b4db8140

SHA256
b4d85e03c06be1837f6ae79c2df1a4f6298b8d27b43c1739ec9e22ec9be56527

SHA512
545c0b8773cf57be074ed746b5da6998f19d83bdccf7d6cf6db04c89aa1d6ca7f11101511acdd52c6b2d002cfc46294dae66173e03ffce7a9e2956f241e4439a

Download Submit
\Users\Admin\AppData\Local\Temp\o43aakn2vb3m.exe
Filesize
3KB

MD5
6e5fb0605b1892923f0b9b3e50ef3864

SHA1
debe08f907a78a3c456615cff9be9373c4c0ce4a

SHA256
9ddc194e4882af2ff89785f61aab485ead07b3fd11ade8987b190d4967bf1161

SHA512
e8d6b536bc7843b3a1a57882c495d179b5a2cb346e836738e8a018163837683cb8b485fd098b56a9fdf81e0db5467f6fddb41011710c2d119ee2fe3d267b8ea1

Download Submit
\Users\Admin\AppData\Local\Temp\o43aakn2vb3m.exe
Filesize
3KB

MD5
6e5fb0605b1892923f0b9b3e50ef3864

SHA1
debe08f907a78a3c456615cff9be9373c4c0ce4a

SHA256
9ddc194e4882af2ff89785f61aab485ead07b3fd11ade8987b190d4967bf1161

SHA512
e8d6b536bc7843b3a1a57882c495d179b5a2cb346e836738e8a018163837683cb8b485fd098b56a9fdf81e0db5467f6fddb41011710c2d119ee2fe3d267b8ea1

Download Submit
memory/808-75-0x00000000007F0000-0x0000000000806000-memory.dmp

Filesize
88KB

Download
memory/808-73-0x0000000000000000-mapping.dmp

Download
memory/808-81-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/808-79-0x0000000001DA0000-0x0000000001E2F000-memory.dmp

Filesize
572KB

Download
memory/808-78-0x0000000002070000-0x0000000002373000-memory.dmp

Filesize
3.0MB

Download
memory/808-76-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/972-69-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/972-67-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/972-71-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/972-68-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/972-64-0x000000000041D030-mapping.dmp

Download
memory/972-74-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1068-66-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1068-56-0x0000000000000000-mapping.dmp

Download
memory/1228-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/1268-72-0x0000000006150000-0x000000000626B000-memory.dmp

Filesize
1.1MB

Download
memory/1268-70-0x0000000005FF0000-0x000000000614E000-memory.dmp

Filesize
1.4MB

Download
memory/1268-80-0x0000000003B80000-0x0000000003C1D000-memory.dmp

Filesize
628KB

Download
memory/1268-82-0x000007FF404F0000-0x000007FF404FA000-memory.dmp

Filesize
40KB

Download
memory/1268-83-0x000007FEF6C90000-0x000007FEF6DD3000-memory.dmp

Filesize
1.3MB

Download
memory/1268-84-0x0000000003B80000-0x0000000003C1D000-memory.dmp

Filesize
628KB

Download
memory/1268-85-0x000007FF404F0000-0x000007FF404FA000-memory.dmp

Filesize
40KB

Download
memory/1520-77-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads