xloader | 1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342

General

Target

1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342.exe
Size

204KB
MD5

9c40dfd68039060b4349a2222783b9a5
SHA1

26fd3e9ab2553b20259933ec4448ea1638f12399
SHA256

1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342
SHA512

f19eca17bf73a7c26f4b6445135ac884ca353301f7591d05e2fb96205320ecbda94f2455f225ca94aba0b39c4a67ed925495757e75f58b4c40a72c200952db92
SSDEEP

3072:5f1BDZ0kVB67Duw9AMcobKRWyOjMi7UdJixOTWY9SyjD0kyWpQMhRR5WxJenaE6J:59X0GiYOz7USxOTDSyjD0kTn8CnWJ

Score

10^/10

xloader gh6n loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

gh6n

Decoy

cpschoolsschoology.com

thestocksforum.com

pixiewish.com

sopressd.com

muktokontha.com

tiejiabang.net

fdo.technology

kuringnl.com

barbarapastor.com

21stcenturytrading.com

digiwarung.com

canvafynyc.com

forfaitinghouse.com

3704368.com

mymonwero.com

ponpow.com

fringe.golf

heartfeltindonesia.com

defensivedrivercpc.com

allaboutgt.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4832-141-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/4832-146-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/4364-149-0x0000000000700000-0x0000000000728000-memory.dmp	xloader
behavioral2/memory/4364-153-0x0000000000700000-0x0000000000728000-memory.dmp	xloader

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

40 4364 rundll32.exe
64 4364 rundll32.exe
Executes dropped EXE 2 IoCs

Processes:

o43aakn2vb3m.exeo43aakn2vb3m.exe

pid process

4032 o43aakn2vb3m.exe
4832 o43aakn2vb3m.exe
Loads dropped DLL 1 IoCs

Processes:

o43aakn2vb3m.exe

pid process

4032 o43aakn2vb3m.exe

flow	pid	process
40	4364	rundll32.exe
64	4364	rundll32.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

o43aakn2vb3m.exeo43aakn2vb3m.exerundll32.exe

description	pid	process	target process
PID 4032 set thread context of 4832	4032	o43aakn2vb3m.exe	o43aakn2vb3m.exe
PID 4832 set thread context of 3080	4832	o43aakn2vb3m.exe	Explorer.EXE
PID 4364 set thread context of 3080	4364	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

o43aakn2vb3m.exeo43aakn2vb3m.exerundll32.exe

pid	process
4032	o43aakn2vb3m.exe
4032	o43aakn2vb3m.exe
4032	o43aakn2vb3m.exe
4032	o43aakn2vb3m.exe
4032	o43aakn2vb3m.exe
4032	o43aakn2vb3m.exe
4032	o43aakn2vb3m.exe
4032	o43aakn2vb3m.exe
4832	o43aakn2vb3m.exe
4832	o43aakn2vb3m.exe
4832	o43aakn2vb3m.exe
4832	o43aakn2vb3m.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe
4364	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3080 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

o43aakn2vb3m.exeo43aakn2vb3m.exerundll32.exe

pid process

4032 o43aakn2vb3m.exe
4832 o43aakn2vb3m.exe
4832 o43aakn2vb3m.exe
4832 o43aakn2vb3m.exe
4364 rundll32.exe
4364 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

o43aakn2vb3m.exerundll32.exe

description pid process

Token: SeDebugPrivilege 4832 o43aakn2vb3m.exe
Token: SeDebugPrivilege 4364 rundll32.exe

pid	process
3080	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4832	o43aakn2vb3m.exe
Token: SeDebugPrivilege	4364	rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342.exeo43aakn2vb3m.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 3468 wrote to memory of 4032	3468	1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342.exe	o43aakn2vb3m.exe
PID 3468 wrote to memory of 4032	3468	1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342.exe	o43aakn2vb3m.exe
PID 3468 wrote to memory of 4032	3468	1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342.exe	o43aakn2vb3m.exe
PID 4032 wrote to memory of 4832	4032	o43aakn2vb3m.exe	o43aakn2vb3m.exe
PID 4032 wrote to memory of 4832	4032	o43aakn2vb3m.exe	o43aakn2vb3m.exe
PID 4032 wrote to memory of 4832	4032	o43aakn2vb3m.exe	o43aakn2vb3m.exe
PID 4032 wrote to memory of 4832	4032	o43aakn2vb3m.exe	o43aakn2vb3m.exe
PID 3080 wrote to memory of 4364	3080	Explorer.EXE	rundll32.exe
PID 3080 wrote to memory of 4364	3080	Explorer.EXE	rundll32.exe
PID 3080 wrote to memory of 4364	3080	Explorer.EXE	rundll32.exe
PID 4364 wrote to memory of 5112	4364	rundll32.exe	cmd.exe
PID 4364 wrote to memory of 5112	4364	rundll32.exe	cmd.exe
PID 4364 wrote to memory of 5112	4364	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3080

C:\Users\Admin\AppData\Local\Temp\1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342.exe
"C:\Users\Admin\AppData\Local\Temp\1969c26ba1e1f151c347b1b899dd05d3aacd571286dd7fad25f5e6489a5ef342.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Local\Temp\o43aakn2vb3m.exe
"C:\Users\Admin\AppData\Local\Temp\o43aakn2vb3m.exe" "C:\Users\Admin\AppData\Local\Temp\mofocjpxzdblgw.dll" "C:\Users\Admin\AppData\Local\Temp\rotgq.o"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4032

C:\Users\Admin\AppData\Local\Temp\o43aakn2vb3m.exe
"C:\Users\Admin\AppData\Local\Temp\o43aakn2vb3m.exe" "C:\Users\Admin\AppData\Local\Temp\mofocjpxzdblgw.dll" "C:\Users\Admin\AppData\Local\Temp\rotgq.o"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\o43aakn2vb3m.exe"
3⤵
PID:5112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mofocjpxzdblgw.dll
Filesize
11KB

MD5
4efa23b13d5d80fd063819039a4a8b3b

SHA1
e07b7d940e7bd0bdac65fec47d11f4b5b4db8140

SHA256
b4d85e03c06be1837f6ae79c2df1a4f6298b8d27b43c1739ec9e22ec9be56527

SHA512
545c0b8773cf57be074ed746b5da6998f19d83bdccf7d6cf6db04c89aa1d6ca7f11101511acdd52c6b2d002cfc46294dae66173e03ffce7a9e2956f241e4439a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mofocjpxzdblgw.dll
Filesize
11KB

MD5
4efa23b13d5d80fd063819039a4a8b3b

SHA1
e07b7d940e7bd0bdac65fec47d11f4b5b4db8140

SHA256
b4d85e03c06be1837f6ae79c2df1a4f6298b8d27b43c1739ec9e22ec9be56527

SHA512
545c0b8773cf57be074ed746b5da6998f19d83bdccf7d6cf6db04c89aa1d6ca7f11101511acdd52c6b2d002cfc46294dae66173e03ffce7a9e2956f241e4439a

Download Submit
C:\Users\Admin\AppData\Local\Temp\o43aakn2vb3m.exe
Filesize
3KB

MD5
6e5fb0605b1892923f0b9b3e50ef3864

SHA1
debe08f907a78a3c456615cff9be9373c4c0ce4a

SHA256
9ddc194e4882af2ff89785f61aab485ead07b3fd11ade8987b190d4967bf1161

SHA512
e8d6b536bc7843b3a1a57882c495d179b5a2cb346e836738e8a018163837683cb8b485fd098b56a9fdf81e0db5467f6fddb41011710c2d119ee2fe3d267b8ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\o43aakn2vb3m.exe
Filesize
3KB

MD5
6e5fb0605b1892923f0b9b3e50ef3864

SHA1
debe08f907a78a3c456615cff9be9373c4c0ce4a

SHA256
9ddc194e4882af2ff89785f61aab485ead07b3fd11ade8987b190d4967bf1161

SHA512
e8d6b536bc7843b3a1a57882c495d179b5a2cb346e836738e8a018163837683cb8b485fd098b56a9fdf81e0db5467f6fddb41011710c2d119ee2fe3d267b8ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\o43aakn2vb3m.exe
Filesize
3KB

MD5
6e5fb0605b1892923f0b9b3e50ef3864

SHA1
debe08f907a78a3c456615cff9be9373c4c0ce4a

SHA256
9ddc194e4882af2ff89785f61aab485ead07b3fd11ade8987b190d4967bf1161

SHA512
e8d6b536bc7843b3a1a57882c495d179b5a2cb346e836738e8a018163837683cb8b485fd098b56a9fdf81e0db5467f6fddb41011710c2d119ee2fe3d267b8ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rotgq.o
Filesize
160KB

MD5
39e326f7f896f0c1695c21d55a1d4cf8

SHA1
d8b1726aed81a8c8728d52bd57c5c6034d571249

SHA256
297c749e4315ea16e6146c9e9fc214cad571009c78f411e496e96cf792529661

SHA512
65e5be7a6f8b9728efe5d0ef3301a1a17d76b9df6e16c041ff3755fcafecce5b4437f59ccf57c68fa5005a46ce1ae2aa9dacb479a282a058b57a70adc9f7fafb

Download Submit
memory/3080-144-0x0000000002900000-0x0000000002A73000-memory.dmp

Filesize
1.4MB

Download
memory/3080-154-0x0000000002D10000-0x0000000002E0F000-memory.dmp

Filesize
1020KB

Download
memory/3080-152-0x0000000002D10000-0x0000000002E0F000-memory.dmp

Filesize
1020KB

Download
memory/4032-140-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/4032-132-0x0000000000000000-mapping.dmp

Download
memory/4364-153-0x0000000000700000-0x0000000000728000-memory.dmp

Filesize
160KB

Download
memory/4364-150-0x00000000026A0000-0x00000000029EA000-memory.dmp

Filesize
3.3MB

Download
memory/4364-145-0x0000000000000000-mapping.dmp

Download
memory/4364-151-0x00000000023D0000-0x000000000245F000-memory.dmp

Filesize
572KB

Download
memory/4364-149-0x0000000000700000-0x0000000000728000-memory.dmp

Filesize
160KB

Download
memory/4364-148-0x0000000000900000-0x0000000000914000-memory.dmp

Filesize
80KB

Download
memory/4832-142-0x0000000000A60000-0x0000000000DAA000-memory.dmp

Filesize
3.3MB

Download
memory/4832-146-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4832-143-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/4832-141-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4832-138-0x0000000000000000-mapping.dmp

Download
memory/5112-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads