xloader | a7c1f4ae5c35b88e68b4d82db4c7e14d53922946d853569b5efd5050e7480229

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2022 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36.exe
Size

176KB
MD5

d68996bdcd5a2b28de82355a1107fb9f
SHA1

f4ac00f5e4864a47da3569e0e75eb051e5ffd2bb
SHA256

85668639c9ef2ed33488e13f4cfdb3f90342425c0f7a2ff014e77bd316e5581c
SHA512

d7c34972a76078ffde2c0cf7b2be0e39ffb0b070fea4c8b04e7f0e9339a8d1c50c427af659c2f9e634a9c71f04a87d8a54cf4cf8880a0ebdeab5a49f072aa536
SSDEEP

3072:LVz5TPJuR4ptWuN9X3kUAJefLJMfC0OfWKHFpfY9kn992ffG57AhohP:NFgOph9noeTJTPnfjnUzoh

Score

10^/10

xloader iewb loader rat

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

iewb

Decoy

n8FLlgIlb1rSEg5hJ9xMbw4hcmR38Q==

5vIAIY+pt81OtWs+FdIEdk7Y

LHIKc+oWGIQUUlfAAtEEdk7Y

ePM/cX2jvHrS

5hvPEw22+fdvmJz3C8FIVq0=

mb9EeX2jvHrS

Dx2zIYNvfjo8VUo5

6jVPnyJekv2RAc4gLKNwEqQ=

KWatHyjdE5Gj1Ng=

t9lk70gzUAZty4qjbVjF

6eUBeFPzKBWT125BFNIEdk7Y

dZUXOIyqTJGj1Ng=

iL3TVh2Jl5QVStnzxcAhIL8=

J1prtyklUfZGR/xDD71IbkWRd2yx

s9FgCOBRW9bU0Y6jbVjF

RYCbQDzcFBhcylgu

Fl0BV/8RJm6F9QRg8LXXTLo=

0dhumHzrCCZ3wdQg7nFF1AlL6Tk=

xvL+iL6wwX+/wH9K4lbZ/A==

N0lVceIFD5Gj1Ng=

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral4/memory/1508-137-0x0000000000700000-0x000000000072C000-memory.dmp	xloader
behavioral4/memory/1508-140-0x0000000000700000-0x000000000072C000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

36.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 36.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	36.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

36.execmmon32.exe

description	pid	process	target process
PID 4412 set thread context of 2220	4412	36.exe	Explorer.EXE
PID 1508 set thread context of 2220	1508	cmmon32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

36.execmmon32.exe

pid	process
4412	36.exe
4412	36.exe
4412	36.exe
4412	36.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe
1508	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2220 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

36.execmmon32.exe

pid process

4412 36.exe
4412 36.exe
4412 36.exe
1508 cmmon32.exe
1508 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

36.execmmon32.exe

description pid process

Token: SeDebugPrivilege 4412 36.exe
Token: SeDebugPrivilege 1508 cmmon32.exe

pid	process
2220	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4412	36.exe
Token: SeDebugPrivilege	1508	cmmon32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Explorer.EXEcmmon32.exe

description	pid	process	target process
PID 2220 wrote to memory of 1508	2220	Explorer.EXE	cmmon32.exe
PID 2220 wrote to memory of 1508	2220	Explorer.EXE	cmmon32.exe
PID 2220 wrote to memory of 1508	2220	Explorer.EXE	cmmon32.exe
PID 1508 wrote to memory of 4488	1508	cmmon32.exe	cmd.exe
PID 1508 wrote to memory of 4488	1508	cmmon32.exe	cmd.exe
PID 1508 wrote to memory of 4488	1508	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\36.exe
"C:\Users\Admin\AppData\Local\Temp\36.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\36.exe"
3⤵
PID:4488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1508-135-0x0000000000000000-mapping.dmp

Download
memory/1508-136-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

Filesize
48KB

Download
memory/1508-137-0x0000000000700000-0x000000000072C000-memory.dmp

Filesize
176KB

Download
memory/1508-139-0x0000000002690000-0x00000000029DA000-memory.dmp

Filesize
3.3MB

Download
memory/1508-140-0x0000000000700000-0x000000000072C000-memory.dmp

Filesize
176KB

Download
memory/1508-141-0x0000000002430000-0x00000000024C0000-memory.dmp

Filesize
576KB

Download
memory/2220-134-0x0000000008080000-0x000000000821E000-memory.dmp

Filesize
1.6MB

Download
memory/2220-142-0x0000000002CD0000-0x0000000002DBC000-memory.dmp

Filesize
944KB

Download
memory/2220-143-0x0000000002CD0000-0x0000000002DBC000-memory.dmp

Filesize
944KB

Download
memory/4412-132-0x0000000000C20000-0x0000000000F6A000-memory.dmp

Filesize
3.3MB

Download
memory/4412-133-0x0000000000C00000-0x0000000000C11000-memory.dmp

Filesize
68KB

Download
memory/4488-138-0x0000000000000000-mapping.dmp

Download