xloader | e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a

General

Target

e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe
Size

206KB
MD5

5617428ac63756a9a47d7c52603406d4
SHA1

5bc937e71aa0aab508360370a557f683675dc832
SHA256

e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a
SHA512

25ef32b02505f1f334e4e86a6ef181ba531890219d6662152d71fbef7165e65bcfe84e347ff5f2d418c1c102781b2d6f38da7a84b7559be1a3180e14fbbd254d
SSDEEP

6144:59X0GvV6IedPyUuHwdkOGlQm52B/qsAs1SZXKyL/Klm:/0SV/Ui4GlQm52NqsAs1SUK7

Score

10^/10

xloader siwq loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

siwq

Decoy

pestcontrolcleaning.com

openpandoras.com

timmsoski.com

viva-hair.com

icebergpeakgaming.com

pebblecreatives.com

marydilip.info

ashtonmaker.com

aclarandocafe.com

apibet365.com

maddykellyactor.com

sxtengchi.com

victoriamassage.net

html15.com

bamabailbonding.com

ltknudsen.com

haziee.com

knenglishkor.com

inpolychrome.com

inishcorp.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/556-67-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1920-73-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader
behavioral1/memory/1920-77-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

tiv727shx.exetiv727shx.exe

pid process

280 tiv727shx.exe
556 tiv727shx.exe
Loads dropped DLL 3 IoCs

Processes:

e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exetiv727shx.exe

pid process

564 e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe
280 tiv727shx.exe
280 tiv727shx.exe

pid	process
564	e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe
280	tiv727shx.exe
280	tiv727shx.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tiv727shx.exetiv727shx.exewlanext.exe

description	pid	process	target process
PID 280 set thread context of 556	280	tiv727shx.exe	tiv727shx.exe
PID 556 set thread context of 1220	556	tiv727shx.exe	Explorer.EXE
PID 1920 set thread context of 1220	1920	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

tiv727shx.exetiv727shx.exewlanext.exe

pid	process
280	tiv727shx.exe
280	tiv727shx.exe
280	tiv727shx.exe
280	tiv727shx.exe
556	tiv727shx.exe
556	tiv727shx.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe
1920	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

tiv727shx.exetiv727shx.exewlanext.exe

pid process

280 tiv727shx.exe
556 tiv727shx.exe
556 tiv727shx.exe
556 tiv727shx.exe
1920 wlanext.exe
1920 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tiv727shx.exewlanext.exe

description pid process

Token: SeDebugPrivilege 556 tiv727shx.exe
Token: SeDebugPrivilege 1920 wlanext.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE

pid	process
1220	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	556	tiv727shx.exe
Token: SeDebugPrivilege	1920	wlanext.exe

pid	process
1220	Explorer.EXE
1220	Explorer.EXE

pid	process
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exetiv727shx.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 564 wrote to memory of 280	564	e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe	tiv727shx.exe
PID 564 wrote to memory of 280	564	e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe	tiv727shx.exe
PID 564 wrote to memory of 280	564	e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe	tiv727shx.exe
PID 564 wrote to memory of 280	564	e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe	tiv727shx.exe
PID 280 wrote to memory of 556	280	tiv727shx.exe	tiv727shx.exe
PID 280 wrote to memory of 556	280	tiv727shx.exe	tiv727shx.exe
PID 280 wrote to memory of 556	280	tiv727shx.exe	tiv727shx.exe
PID 280 wrote to memory of 556	280	tiv727shx.exe	tiv727shx.exe
PID 280 wrote to memory of 556	280	tiv727shx.exe	tiv727shx.exe
PID 1220 wrote to memory of 1920	1220	Explorer.EXE	wlanext.exe
PID 1220 wrote to memory of 1920	1220	Explorer.EXE	wlanext.exe
PID 1220 wrote to memory of 1920	1220	Explorer.EXE	wlanext.exe
PID 1220 wrote to memory of 1920	1220	Explorer.EXE	wlanext.exe
PID 1920 wrote to memory of 1308	1920	wlanext.exe	cmd.exe
PID 1920 wrote to memory of 1308	1920	wlanext.exe	cmd.exe
PID 1920 wrote to memory of 1308	1920	wlanext.exe	cmd.exe
PID 1920 wrote to memory of 1308	1920	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe
"C:\Users\Admin\AppData\Local\Temp\e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564

C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe
"C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe" "C:\Users\Admin\AppData\Local\Temp\olac3zs7jm3rr4i.dll" "C:\Users\Admin\AppData\Local\Temp\jjessap.d"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:280

C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe
"C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe" "C:\Users\Admin\AppData\Local\Temp\olac3zs7jm3rr4i.dll" "C:\Users\Admin\AppData\Local\Temp\jjessap.d"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:436

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:872

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1580

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:608

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:924

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:920

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1712

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1332

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe"
3⤵
PID:1308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jjessap.d
Filesize
161KB

MD5
f0321013d66a05ad984d95f978e4d7e4

SHA1
62233a1aad01dc0044c91fa54431ad0110cf9288

SHA256
835734f506366a4ee16f26febc1a8dece7df7692e4f1dbc4f1fb6f4a2fbc7027

SHA512
56b073d76fb1055547bdbcebe03e6cf287acda67ac05168d75de981fc6c12d8a305a513cc7cb31ed6764f0a02da8b3630a8f71b412f87c4d6947ebaf22a4dd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\olac3zs7jm3rr4i.dll
Filesize
12KB

MD5
5d58523f0a1d1cf356ae4975bddf6877

SHA1
29f74dcdb22286f06d611ac9870729e98fbb3d4c

SHA256
88cdd8bb77b8f457d9b2b5a011392d82acdbd848e6440f0563ecf37058d7c554

SHA512
afee0847e1627f7ccf76fd524867bd486e95c3acf0890e00ca117ef4dfebff71c890478dc20b9fec12b954449842593661e623edf9849b5bee613624cc0be498

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe
Filesize
3KB

MD5
2f1d8da9ad48cdefe35d05d56e02e453

SHA1
37fb5e77ebe2b30d021bc5a4021efd679de6dd49

SHA256
83e70a9a3067a8deb5ec5e472a80d3e5f6d82f90c0b5067c973c3077e43d2ca1

SHA512
55c1e8618dad28fa2e40666e9707374604a980ae6791b5b2253d137b77af57fa30a3410da836cdeabee0dd9b3356e7ba53dc113dc13e1016e1f4b74273f2921f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe
Filesize
3KB

MD5
2f1d8da9ad48cdefe35d05d56e02e453

SHA1
37fb5e77ebe2b30d021bc5a4021efd679de6dd49

SHA256
83e70a9a3067a8deb5ec5e472a80d3e5f6d82f90c0b5067c973c3077e43d2ca1

SHA512
55c1e8618dad28fa2e40666e9707374604a980ae6791b5b2253d137b77af57fa30a3410da836cdeabee0dd9b3356e7ba53dc113dc13e1016e1f4b74273f2921f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe
Filesize
3KB

MD5
2f1d8da9ad48cdefe35d05d56e02e453

SHA1
37fb5e77ebe2b30d021bc5a4021efd679de6dd49

SHA256
83e70a9a3067a8deb5ec5e472a80d3e5f6d82f90c0b5067c973c3077e43d2ca1

SHA512
55c1e8618dad28fa2e40666e9707374604a980ae6791b5b2253d137b77af57fa30a3410da836cdeabee0dd9b3356e7ba53dc113dc13e1016e1f4b74273f2921f

Download Submit
\Users\Admin\AppData\Local\Temp\olac3zs7jm3rr4i.dll
Filesize
12KB

MD5
5d58523f0a1d1cf356ae4975bddf6877

SHA1
29f74dcdb22286f06d611ac9870729e98fbb3d4c

SHA256
88cdd8bb77b8f457d9b2b5a011392d82acdbd848e6440f0563ecf37058d7c554

SHA512
afee0847e1627f7ccf76fd524867bd486e95c3acf0890e00ca117ef4dfebff71c890478dc20b9fec12b954449842593661e623edf9849b5bee613624cc0be498

Download Submit
\Users\Admin\AppData\Local\Temp\tiv727shx.exe
Filesize
3KB

MD5
2f1d8da9ad48cdefe35d05d56e02e453

SHA1
37fb5e77ebe2b30d021bc5a4021efd679de6dd49

SHA256
83e70a9a3067a8deb5ec5e472a80d3e5f6d82f90c0b5067c973c3077e43d2ca1

SHA512
55c1e8618dad28fa2e40666e9707374604a980ae6791b5b2253d137b77af57fa30a3410da836cdeabee0dd9b3356e7ba53dc113dc13e1016e1f4b74273f2921f

Download Submit
\Users\Admin\AppData\Local\Temp\tiv727shx.exe
Filesize
3KB

MD5
2f1d8da9ad48cdefe35d05d56e02e453

SHA1
37fb5e77ebe2b30d021bc5a4021efd679de6dd49

SHA256
83e70a9a3067a8deb5ec5e472a80d3e5f6d82f90c0b5067c973c3077e43d2ca1

SHA512
55c1e8618dad28fa2e40666e9707374604a980ae6791b5b2253d137b77af57fa30a3410da836cdeabee0dd9b3356e7ba53dc113dc13e1016e1f4b74273f2921f

Download Submit
memory/280-56-0x0000000000000000-mapping.dmp

Download
memory/280-65-0x00000000744A0000-0x00000000744A7000-memory.dmp

Filesize
28KB

Download
memory/556-66-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/556-67-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/556-68-0x0000000000260000-0x0000000000271000-memory.dmp

Filesize
68KB

Download
memory/556-63-0x000000000041D090-mapping.dmp

Download
memory/564-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1220-76-0x0000000004E50000-0x0000000004EEE000-memory.dmp

Filesize
632KB

Download
memory/1220-69-0x0000000004B80000-0x0000000004C6A000-memory.dmp

Filesize
936KB

Download
memory/1220-78-0x0000000004E50000-0x0000000004EEE000-memory.dmp

Filesize
632KB

Download
memory/1308-71-0x0000000000000000-mapping.dmp

Download
memory/1920-74-0x0000000002000000-0x0000000002303000-memory.dmp

Filesize
3.0MB

Download
memory/1920-73-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1920-75-0x0000000001D90000-0x0000000001E20000-memory.dmp

Filesize
576KB

Download
memory/1920-72-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/1920-77-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1920-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads