xloader | e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce

General

Target

e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce.exe
Size

214KB
MD5

3e63f636a493ee210b6627e63c954665
SHA1

07edabeb3c3375043de5a0a2af222a9888e40c75
SHA256

e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce
SHA512

4bea9a7c13ff9543532bbbb5ef1497bf3d31d03d1629365d962e953695ebc4d77dde329b451e1b07cdf18c3883d22df2e58b2602e116e32bc4292e027b2c0a42
SSDEEP

6144:oNeZg14JHXuf5KmE+rZOuTdcC2xIC90pLXg4Psgf:oN8HXG1NOiSPxbCLX7PsO

Score

10^/10

xloader hsot discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

hsot

Decoy

carefile.icu

autrement-dit-translation.com

openft.xyz

hip-express.com

snowwisdom.com

effort-less.xyz

cardiopulmonaryservices.com

mednotics.com

hxtz54.com

sendex.global

getemergencyfood.com

xn--ekr703aymjgvi.group

whitmanrandolphmath.com

theunitedgamingleague.net

sxqnx.com

finessemovement.com

srsremodelinginc.com

shuddhiorganics.com

tlichomedical.com

millennium.school

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2464-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2464-15-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2464-19-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2780-26-0x00000000000C0000-0x00000000000E9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

pid	Process
1732	gynoox.exe
2464	gynoox.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce.exe
1732	gynoox.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1732 set thread context of 2464	1732	gynoox.exe	32
PID 2464 set thread context of 1200	2464	gynoox.exe	21
PID 2464 set thread context of 1200	2464	gynoox.exe	21
PID 2780 set thread context of 1200	2780	mstsc.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gynoox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gynoox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2464	gynoox.exe
2464	gynoox.exe
2464	gynoox.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe
2780	mstsc.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2464	gynoox.exe
2464	gynoox.exe
2464	gynoox.exe
2464	gynoox.exe
2780	mstsc.exe
2780	mstsc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	gynoox.exe
Token: SeDebugPrivilege	2780	mstsc.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1732	2036	e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce.exe	31
PID 2036 wrote to memory of 1732	2036	e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce.exe	31
PID 2036 wrote to memory of 1732	2036	e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce.exe	31
PID 2036 wrote to memory of 1732	2036	e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce.exe	31
PID 1732 wrote to memory of 2464	1732	gynoox.exe	32
PID 1732 wrote to memory of 2464	1732	gynoox.exe	32
PID 1732 wrote to memory of 2464	1732	gynoox.exe	32
PID 1732 wrote to memory of 2464	1732	gynoox.exe	32
PID 1732 wrote to memory of 2464	1732	gynoox.exe	32
PID 1732 wrote to memory of 2464	1732	gynoox.exe	32
PID 1732 wrote to memory of 2464	1732	gynoox.exe	32
PID 2464 wrote to memory of 2780	2464	gynoox.exe	33
PID 2464 wrote to memory of 2780	2464	gynoox.exe	33
PID 2464 wrote to memory of 2780	2464	gynoox.exe	33
PID 2464 wrote to memory of 2780	2464	gynoox.exe	33
PID 2780 wrote to memory of 2880	2780	mstsc.exe	34
PID 2780 wrote to memory of 2880	2780	mstsc.exe	34
PID 2780 wrote to memory of 2880	2780	mstsc.exe	34
PID 2780 wrote to memory of 2880	2780	mstsc.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce.exe
  "C:\Users\Admin\AppData\Local\Temp\e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\gynoox.exe
    C:\Users\Admin\AppData\Local\Temp\gynoox.exe C:\Users\Admin\AppData\Local\Temp\jbvzhvisee
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\gynoox.exe
      C:\Users\Admin\AppData\Local\Temp\gynoox.exe C:\Users\Admin\AppData\Local\Temp\jbvzhvisee
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\SysWOW64\mstsc.exe
        
        "C:\Windows\SysWOW64\mstsc.exe"
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Users\Admin\AppData\Local\Temp\gynoox.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jbvzhvisee

Filesize
5KB

MD5
14eb81fc11bc5a7519e1d13d9c8db270

SHA1
e7fb259e2d54e8d489c31394f4972f8c983a10f6

SHA256
fc71e6c40f10c1e7168aafbc20e02af04e4d6e20c5eeed30d337e22f7f3eb4e5

SHA512
35c2ae89f4927d3c5e78c05f28203c00ba6ba5de10b0f11ab1573114c5170921ea6412a90b2992b2a5efafb59757c9b0810b3bda86293e9fe5b02e03f225a08a

Download Submit
C:\Users\Admin\AppData\Local\Temp\k6nbf21ha3fbj

Filesize
163KB

MD5
608f25eda319b6b7ff254ae53a9e8705

SHA1
22fb3e020a4d186fd6e66604754e42c94e546e44

SHA256
828363931d3b8d883bc873ca92fdfe5c84937f030c1907868d7e8cecd2ca08e4

SHA512
fac692824d87c2017ec1a4a2f5a642a0f89403c174933e1c7077e0e1098ea3f63a5ecf5ac7107e5c6d440c120b40c01bb2bc812d1c3d50dafe3229b9e66cb1eb

Download Submit
\Users\Admin\AppData\Local\Temp\gynoox.exe

Filesize
3KB

MD5
c81d16f671e6bdf7f5ae1c7003856717

SHA1
031ae8483b93c7040fb327d1141dfafa636b75bb

SHA256
ea757de6b7cb2593fbdac083b42f2143812370c864e30c8c461de152664e9a1f

SHA512
f08e25b1f3ba7e58b4f4993b4cf4079e45c132dc85f6f323eba83c4a92d61e76c74a0b264802aabc031f08f13d291d1c6556bd8d7747ba5f37b306346bc732f8

Download Submit
memory/1200-20-0x0000000006DC0000-0x0000000006F4F000-memory.dmp

Filesize
1.6MB

Download
memory/1200-16-0x0000000006C10000-0x0000000006D45000-memory.dmp

Filesize
1.2MB

Download
memory/1200-18-0x0000000006C10000-0x0000000006D45000-memory.dmp

Filesize
1.2MB

Download
memory/1200-27-0x0000000006DC0000-0x0000000006F4F000-memory.dmp

Filesize
1.6MB

Download
memory/1732-9-0x00000000003C0000-0x00000000003C2000-memory.dmp

Filesize
8KB

Download
memory/2464-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2464-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2464-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2780-24-0x0000000000A00000-0x0000000000B04000-memory.dmp

Filesize
1.0MB

Download
memory/2780-25-0x0000000000A00000-0x0000000000B04000-memory.dmp

Filesize
1.0MB

Download
memory/2780-26-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing