xloader | cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af

General

Target

cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af.exe
Size

205KB
MD5

975ea043e07e5b18a36acd47e528fd80
SHA1

54ce166f50524e9412ddaa41c2332e78de00734e
SHA256

cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af
SHA512

7bf4b9f440d582faf803a00383c1748029c1b93964524bfe159264405eac6b6eb957398e5c1c225731fad7509b7a4108803838cfcd9d05a6d04a4b5ad7885c40
SSDEEP

6144:r9X0GfUigNb+mlj97SCZs5UkfXbiClgjW3rac0:F0qsbBH70Uk/b5CjWv0

Score

10^/10

xloader xgxp loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

xgxp

Decoy

sin7799.com

konkondwa.com

fixmylot.com

redbirdscottsdale.com

cotcoservices.com

jonwcvxw.com

scotthaeberletriathlon.com

bob816.com

pinukimgood.life

ambitiondurable-ce.com

jioholdingscorp.com

thisisadreamright.com

asaptebal.xyz

sloanehealth.com

huugmooren.com

birdsbarber.supply

albeider.com

theperfectcolour.com

alibabulilmhouston.com

chaing-list.xyz

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1760-66-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1760-71-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1572-75-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader
behavioral1/memory/1572-79-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

gbcsfl.exegbcsfl.exe

pid process

1588 gbcsfl.exe
1760 gbcsfl.exe
Loads dropped DLL 3 IoCs

Processes:

cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af.exegbcsfl.exe

pid process

1404 cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af.exe
1588 gbcsfl.exe
1588 gbcsfl.exe

pid	process
1404	cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af.exe
1588	gbcsfl.exe
1588	gbcsfl.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

gbcsfl.exegbcsfl.exeraserver.exe

description	pid	process	target process
PID 1588 set thread context of 1760	1588	gbcsfl.exe	gbcsfl.exe
PID 1760 set thread context of 1412	1760	gbcsfl.exe	Explorer.EXE
PID 1572 set thread context of 1412	1572	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

gbcsfl.exegbcsfl.exeraserver.exe

pid	process
1588	gbcsfl.exe
1588	gbcsfl.exe
1588	gbcsfl.exe
1588	gbcsfl.exe
1760	gbcsfl.exe
1760	gbcsfl.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

gbcsfl.exegbcsfl.exeraserver.exe

pid process

1588 gbcsfl.exe
1760 gbcsfl.exe
1760 gbcsfl.exe
1760 gbcsfl.exe
1572 raserver.exe
1572 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

gbcsfl.exeraserver.exe

description pid process

Token: SeDebugPrivilege 1760 gbcsfl.exe
Token: SeDebugPrivilege 1572 raserver.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
1412 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
1412 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1760	gbcsfl.exe
Token: SeDebugPrivilege	1572	raserver.exe

pid	process
1412	Explorer.EXE
1412	Explorer.EXE

pid	process
1412	Explorer.EXE
1412	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af.exegbcsfl.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 1404 wrote to memory of 1588	1404	cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af.exe	gbcsfl.exe
PID 1404 wrote to memory of 1588	1404	cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af.exe	gbcsfl.exe
PID 1404 wrote to memory of 1588	1404	cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af.exe	gbcsfl.exe
PID 1404 wrote to memory of 1588	1404	cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af.exe	gbcsfl.exe
PID 1588 wrote to memory of 1760	1588	gbcsfl.exe	gbcsfl.exe
PID 1588 wrote to memory of 1760	1588	gbcsfl.exe	gbcsfl.exe
PID 1588 wrote to memory of 1760	1588	gbcsfl.exe	gbcsfl.exe
PID 1588 wrote to memory of 1760	1588	gbcsfl.exe	gbcsfl.exe
PID 1588 wrote to memory of 1760	1588	gbcsfl.exe	gbcsfl.exe
PID 1412 wrote to memory of 1572	1412	Explorer.EXE	raserver.exe
PID 1412 wrote to memory of 1572	1412	Explorer.EXE	raserver.exe
PID 1412 wrote to memory of 1572	1412	Explorer.EXE	raserver.exe
PID 1412 wrote to memory of 1572	1412	Explorer.EXE	raserver.exe
PID 1572 wrote to memory of 928	1572	raserver.exe	cmd.exe
PID 1572 wrote to memory of 928	1572	raserver.exe	cmd.exe
PID 1572 wrote to memory of 928	1572	raserver.exe	cmd.exe
PID 1572 wrote to memory of 928	1572	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af.exe
"C:\Users\Admin\AppData\Local\Temp\cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\gbcsfl.exe
"C:\Users\Admin\AppData\Local\Temp\gbcsfl.exe" "C:\Users\Admin\AppData\Local\Temp\ic8lzcplg5alr.dll" "C:\Users\Admin\AppData\Local\Temp\hloeyontex.yat"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\gbcsfl.exe
"C:\Users\Admin\AppData\Local\Temp\gbcsfl.exe" "C:\Users\Admin\AppData\Local\Temp\ic8lzcplg5alr.dll" "C:\Users\Admin\AppData\Local\Temp\hloeyontex.yat"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1636

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\gbcsfl.exe"
3⤵
PID:928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gbcsfl.exe
Filesize
4KB

MD5
096cf7fb05be684e55a5d53b14e9406e

SHA1
f3b3364078815e52cc6029075572a25dc17e242b

SHA256
ff4cd5950a1d88165b66e3d78216f8f1c0ca7a1a2bd460b4176080195a11a2fd

SHA512
26b89f7b79098bc94a278221f2e4abd80e6d568fe9e880fc3744343c8c06db5a2775134c419e1e7d84e214c47cc9cbbb9d019b82552d04bf299c585f1fb456e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbcsfl.exe
Filesize
4KB

MD5
096cf7fb05be684e55a5d53b14e9406e

SHA1
f3b3364078815e52cc6029075572a25dc17e242b

SHA256
ff4cd5950a1d88165b66e3d78216f8f1c0ca7a1a2bd460b4176080195a11a2fd

SHA512
26b89f7b79098bc94a278221f2e4abd80e6d568fe9e880fc3744343c8c06db5a2775134c419e1e7d84e214c47cc9cbbb9d019b82552d04bf299c585f1fb456e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbcsfl.exe
Filesize
4KB

MD5
096cf7fb05be684e55a5d53b14e9406e

SHA1
f3b3364078815e52cc6029075572a25dc17e242b

SHA256
ff4cd5950a1d88165b66e3d78216f8f1c0ca7a1a2bd460b4176080195a11a2fd

SHA512
26b89f7b79098bc94a278221f2e4abd80e6d568fe9e880fc3744343c8c06db5a2775134c419e1e7d84e214c47cc9cbbb9d019b82552d04bf299c585f1fb456e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hloeyontex.yat
Filesize
160KB

MD5
91aabf773e8e4fa6a504cac8db9c141d

SHA1
f531608ffbd77fea1746c34957e1bbba0b2dbc72

SHA256
65704d980944c945bf947a4430efb9028456f42e95dfa06b7464e2c2bf775c16

SHA512
8859cc5ad7637fba157cee735fad4522f2f8cfb49598a8759bff712ab7f5f847409943becb5d641beced0de169e47ceaedd07ec117915904fbbe8153de2fc7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ic8lzcplg5alr.dll
Filesize
11KB

MD5
58ff0b8cfbc59b88557fd9b35a6a58de

SHA1
896f0d67ac0d4444eec6b18e21d593b6d7eaffd1

SHA256
f909cc6b230d7555f31ab5641de0c204b4e70c30f5d172921d8d0eb43a44e413

SHA512
7b532eb07b99ceb3356a1287cc64d641a1f44827ebada03d91ef790650ca193bc519925e2c2382b8bceb5a8f72ee82618f5651c689adde43db5ef413aceb8ef0

Download Submit
\Users\Admin\AppData\Local\Temp\gbcsfl.exe
Filesize
4KB

MD5
096cf7fb05be684e55a5d53b14e9406e

SHA1
f3b3364078815e52cc6029075572a25dc17e242b

SHA256
ff4cd5950a1d88165b66e3d78216f8f1c0ca7a1a2bd460b4176080195a11a2fd

SHA512
26b89f7b79098bc94a278221f2e4abd80e6d568fe9e880fc3744343c8c06db5a2775134c419e1e7d84e214c47cc9cbbb9d019b82552d04bf299c585f1fb456e1

Download Submit
\Users\Admin\AppData\Local\Temp\gbcsfl.exe
Filesize
4KB

MD5
096cf7fb05be684e55a5d53b14e9406e

SHA1
f3b3364078815e52cc6029075572a25dc17e242b

SHA256
ff4cd5950a1d88165b66e3d78216f8f1c0ca7a1a2bd460b4176080195a11a2fd

SHA512
26b89f7b79098bc94a278221f2e4abd80e6d568fe9e880fc3744343c8c06db5a2775134c419e1e7d84e214c47cc9cbbb9d019b82552d04bf299c585f1fb456e1

Download Submit
\Users\Admin\AppData\Local\Temp\ic8lzcplg5alr.dll
Filesize
11KB

MD5
58ff0b8cfbc59b88557fd9b35a6a58de

SHA1
896f0d67ac0d4444eec6b18e21d593b6d7eaffd1

SHA256
f909cc6b230d7555f31ab5641de0c204b4e70c30f5d172921d8d0eb43a44e413

SHA512
7b532eb07b99ceb3356a1287cc64d641a1f44827ebada03d91ef790650ca193bc519925e2c2382b8bceb5a8f72ee82618f5651c689adde43db5ef413aceb8ef0

Download Submit
memory/928-73-0x0000000000000000-mapping.dmp

Download
memory/1404-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1412-80-0x0000000006D60000-0x0000000006EDE000-memory.dmp

Filesize
1.5MB

Download
memory/1412-69-0x0000000004E30000-0x0000000004F7B000-memory.dmp

Filesize
1.3MB

Download
memory/1412-78-0x0000000006D60000-0x0000000006EDE000-memory.dmp

Filesize
1.5MB

Download
memory/1572-76-0x0000000001EC0000-0x00000000021C3000-memory.dmp

Filesize
3.0MB

Download
memory/1572-79-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1572-70-0x0000000000000000-mapping.dmp

Download
memory/1572-77-0x00000000007D0000-0x000000000085F000-memory.dmp

Filesize
572KB

Download
memory/1572-75-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1572-74-0x0000000000AA0000-0x0000000000ABC000-memory.dmp

Filesize
112KB

Download
memory/1588-65-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1588-56-0x0000000000000000-mapping.dmp

Download
memory/1760-67-0x0000000000B60000-0x0000000000E63000-memory.dmp

Filesize
3.0MB

Download
memory/1760-71-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1760-68-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/1760-63-0x000000000041CFE0-mapping.dmp

Download
memory/1760-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads