xloader | cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af

General

Target

cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af.exe
Size

205KB
MD5

975ea043e07e5b18a36acd47e528fd80
SHA1

54ce166f50524e9412ddaa41c2332e78de00734e
SHA256

cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af
SHA512

7bf4b9f440d582faf803a00383c1748029c1b93964524bfe159264405eac6b6eb957398e5c1c225731fad7509b7a4108803838cfcd9d05a6d04a4b5ad7885c40
SSDEEP

6144:r9X0GfUigNb+mlj97SCZs5UkfXbiClgjW3rac0:F0qsbBH70Uk/b5CjWv0

Score

10^/10

xloader xgxp loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

xgxp

Decoy

sin7799.com

konkondwa.com

fixmylot.com

redbirdscottsdale.com

cotcoservices.com

jonwcvxw.com

scotthaeberletriathlon.com

bob816.com

pinukimgood.life

ambitiondurable-ce.com

jioholdingscorp.com

thisisadreamright.com

asaptebal.xyz

sloanehealth.com

huugmooren.com

birdsbarber.supply

albeider.com

theperfectcolour.com

alibabulilmhouston.com

chaing-list.xyz

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4840-147-0x00000000003C0000-0x00000000003E8000-memory.dmp	xloader
behavioral2/memory/4840-153-0x00000000003C0000-0x00000000003E8000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

gbcsfl.exegbcsfl.exe

pid process

952 gbcsfl.exe
2976 gbcsfl.exe
Loads dropped DLL 1 IoCs

Processes:

gbcsfl.exe

pid process

952 gbcsfl.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

gbcsfl.exegbcsfl.exeipconfig.exe

description	pid	process	target process
PID 952 set thread context of 2976	952	gbcsfl.exe	gbcsfl.exe
PID 2976 set thread context of 2632	2976	gbcsfl.exe	Explorer.EXE
PID 4840 set thread context of 2632	4840	ipconfig.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

4840 ipconfig.exe

pid	process
4840	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gbcsfl.exegbcsfl.exeipconfig.exe

pid	process
952	gbcsfl.exe
952	gbcsfl.exe
952	gbcsfl.exe
952	gbcsfl.exe
952	gbcsfl.exe
952	gbcsfl.exe
952	gbcsfl.exe
952	gbcsfl.exe
2976	gbcsfl.exe
2976	gbcsfl.exe
2976	gbcsfl.exe
2976	gbcsfl.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe
4840	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2632 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

gbcsfl.exegbcsfl.exeipconfig.exe

pid process

952 gbcsfl.exe
952 gbcsfl.exe
2976 gbcsfl.exe
2976 gbcsfl.exe
2976 gbcsfl.exe
4840 ipconfig.exe
4840 ipconfig.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

gbcsfl.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 2976 gbcsfl.exe
Token: SeDebugPrivilege 4840 ipconfig.exe

pid	process
2632	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2976	gbcsfl.exe
Token: SeDebugPrivilege	4840	ipconfig.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af.exegbcsfl.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 4616 wrote to memory of 952	4616	cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af.exe	gbcsfl.exe
PID 4616 wrote to memory of 952	4616	cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af.exe	gbcsfl.exe
PID 4616 wrote to memory of 952	4616	cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af.exe	gbcsfl.exe
PID 952 wrote to memory of 2976	952	gbcsfl.exe	gbcsfl.exe
PID 952 wrote to memory of 2976	952	gbcsfl.exe	gbcsfl.exe
PID 952 wrote to memory of 2976	952	gbcsfl.exe	gbcsfl.exe
PID 952 wrote to memory of 2976	952	gbcsfl.exe	gbcsfl.exe
PID 2632 wrote to memory of 4840	2632	Explorer.EXE	ipconfig.exe
PID 2632 wrote to memory of 4840	2632	Explorer.EXE	ipconfig.exe
PID 2632 wrote to memory of 4840	2632	Explorer.EXE	ipconfig.exe
PID 4840 wrote to memory of 3120	4840	ipconfig.exe	cmd.exe
PID 4840 wrote to memory of 3120	4840	ipconfig.exe	cmd.exe
PID 4840 wrote to memory of 3120	4840	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2632

C:\Users\Admin\AppData\Local\Temp\cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af.exe
"C:\Users\Admin\AppData\Local\Temp\cf22f276250ff13f33a16fc28c9dec0ad71fda682edaa2db20852fae1e81e7af.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4616

C:\Users\Admin\AppData\Local\Temp\gbcsfl.exe
"C:\Users\Admin\AppData\Local\Temp\gbcsfl.exe" "C:\Users\Admin\AppData\Local\Temp\ic8lzcplg5alr.dll" "C:\Users\Admin\AppData\Local\Temp\hloeyontex.yat"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Local\Temp\gbcsfl.exe
"C:\Users\Admin\AppData\Local\Temp\gbcsfl.exe" "C:\Users\Admin\AppData\Local\Temp\ic8lzcplg5alr.dll" "C:\Users\Admin\AppData\Local\Temp\hloeyontex.yat"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\gbcsfl.exe"
3⤵
PID:3120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gbcsfl.exe
Filesize
4KB

MD5
096cf7fb05be684e55a5d53b14e9406e

SHA1
f3b3364078815e52cc6029075572a25dc17e242b

SHA256
ff4cd5950a1d88165b66e3d78216f8f1c0ca7a1a2bd460b4176080195a11a2fd

SHA512
26b89f7b79098bc94a278221f2e4abd80e6d568fe9e880fc3744343c8c06db5a2775134c419e1e7d84e214c47cc9cbbb9d019b82552d04bf299c585f1fb456e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbcsfl.exe
Filesize
4KB

MD5
096cf7fb05be684e55a5d53b14e9406e

SHA1
f3b3364078815e52cc6029075572a25dc17e242b

SHA256
ff4cd5950a1d88165b66e3d78216f8f1c0ca7a1a2bd460b4176080195a11a2fd

SHA512
26b89f7b79098bc94a278221f2e4abd80e6d568fe9e880fc3744343c8c06db5a2775134c419e1e7d84e214c47cc9cbbb9d019b82552d04bf299c585f1fb456e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbcsfl.exe
Filesize
4KB

MD5
096cf7fb05be684e55a5d53b14e9406e

SHA1
f3b3364078815e52cc6029075572a25dc17e242b

SHA256
ff4cd5950a1d88165b66e3d78216f8f1c0ca7a1a2bd460b4176080195a11a2fd

SHA512
26b89f7b79098bc94a278221f2e4abd80e6d568fe9e880fc3744343c8c06db5a2775134c419e1e7d84e214c47cc9cbbb9d019b82552d04bf299c585f1fb456e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hloeyontex.yat
Filesize
160KB

MD5
91aabf773e8e4fa6a504cac8db9c141d

SHA1
f531608ffbd77fea1746c34957e1bbba0b2dbc72

SHA256
65704d980944c945bf947a4430efb9028456f42e95dfa06b7464e2c2bf775c16

SHA512
8859cc5ad7637fba157cee735fad4522f2f8cfb49598a8759bff712ab7f5f847409943becb5d641beced0de169e47ceaedd07ec117915904fbbe8153de2fc7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ic8lzcplg5alr.dll
Filesize
11KB

MD5
58ff0b8cfbc59b88557fd9b35a6a58de

SHA1
896f0d67ac0d4444eec6b18e21d593b6d7eaffd1

SHA256
f909cc6b230d7555f31ab5641de0c204b4e70c30f5d172921d8d0eb43a44e413

SHA512
7b532eb07b99ceb3356a1287cc64d641a1f44827ebada03d91ef790650ca193bc519925e2c2382b8bceb5a8f72ee82618f5651c689adde43db5ef413aceb8ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ic8lzcplg5alr.dll
Filesize
11KB

MD5
58ff0b8cfbc59b88557fd9b35a6a58de

SHA1
896f0d67ac0d4444eec6b18e21d593b6d7eaffd1

SHA256
f909cc6b230d7555f31ab5641de0c204b4e70c30f5d172921d8d0eb43a44e413

SHA512
7b532eb07b99ceb3356a1287cc64d641a1f44827ebada03d91ef790650ca193bc519925e2c2382b8bceb5a8f72ee82618f5651c689adde43db5ef413aceb8ef0

Download Submit
memory/952-141-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/952-137-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/952-132-0x0000000000000000-mapping.dmp

Download
memory/2632-154-0x0000000008620000-0x000000000875C000-memory.dmp

Filesize
1.2MB

Download
memory/2632-150-0x0000000007280000-0x0000000007366000-memory.dmp

Filesize
920KB

Download
memory/2632-144-0x0000000007280000-0x0000000007366000-memory.dmp

Filesize
920KB

Download
memory/2632-152-0x0000000008620000-0x000000000875C000-memory.dmp

Filesize
1.2MB

Download
memory/2976-142-0x0000000000E30000-0x000000000117A000-memory.dmp

Filesize
3.3MB

Download
memory/2976-143-0x0000000000A30000-0x0000000000A40000-memory.dmp

Filesize
64KB

Download
memory/2976-139-0x0000000000000000-mapping.dmp

Download
memory/3120-148-0x0000000000000000-mapping.dmp

Download
memory/4840-146-0x00000000002B0000-0x00000000002BB000-memory.dmp

Filesize
44KB

Download
memory/4840-147-0x00000000003C0000-0x00000000003E8000-memory.dmp

Filesize
160KB

Download
memory/4840-149-0x0000000000E80000-0x00000000011CA000-memory.dmp

Filesize
3.3MB

Download
memory/4840-145-0x0000000000000000-mapping.dmp

Download
memory/4840-151-0x0000000000BB0000-0x0000000000C3F000-memory.dmp

Filesize
572KB

Download
memory/4840-153-0x00000000003C0000-0x00000000003E8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads