xloader | 8720ce143198440ad0bf5cac66c06304ab1f414d24de6c6e8184063cd45e2490

Analysis

max time kernel
146s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 08:43 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Current-value.exe
Size

210KB
MD5

0631513293a26704a9d21585a6dcaaff
SHA1

cb2b45d7d9dc2a79845413eccd319f391ab34dee
SHA256

1c2c212dbad3b81d9c6225c3a9f9f6211b10782d228a090f9aa4f038b0270663
SHA512

2d7f1ab850d08a1bd7a9b8e43b9ea60da5ac6dff9bbb311fd61ceb6f501a630492b51d36c7437c158e7ef2f7ba9ec8468b1072c00d0fee93b9e46505a6f44883
SSDEEP

6144:YqjIeZoVSe/5Yo8ENpAgzjBX/srqcr8eFpkokt:VRZo3/W3EvjJ/xcr8eso4

Score

10^/10

xloader 4qdc discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

4qdc

Decoy

sdsjhgs.com

adanonce.com

ace-expertises.com

kasip.club

web2print.works

remteq.com

stillwasserkennels.com

sherepix.ltd

contouron.net

issuebeam.com

nodusentertainmenttw.com

handproofs.com

180-g.com

canrejas.com

f8ca33788f22.com

flatlandgardenning.com

skosolutionsllc.com

santiagobarrientos.com

hrvaworks.com

fungihoney.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral7/memory/2240-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral7/memory/2240-16-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral7/memory/1972-22-0x00000000000D0000-0x00000000000F9000-memory.dmp	xloader

Deletes itself 1 IoCs

pid	Process
2696	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1952	Current-value.exe
1952	Current-value.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1952 set thread context of 2240	1952	Current-value.exe	30
PID 2240 set thread context of 1188	2240	Current-value.exe	21
PID 1972 set thread context of 1188	1972	control.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Current-value.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1952	Current-value.exe
1952	Current-value.exe
1952	Current-value.exe
1952	Current-value.exe
2240	Current-value.exe
2240	Current-value.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe
1972	control.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1952	Current-value.exe
2240	Current-value.exe
2240	Current-value.exe
2240	Current-value.exe
1972	control.exe
1972	control.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	Current-value.exe
Token: SeDebugPrivilege	1972	control.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2240	1952	Current-value.exe	30
PID 1952 wrote to memory of 2240	1952	Current-value.exe	30
PID 1952 wrote to memory of 2240	1952	Current-value.exe	30
PID 1952 wrote to memory of 2240	1952	Current-value.exe	30
PID 1952 wrote to memory of 2240	1952	Current-value.exe	30
PID 1188 wrote to memory of 1972	1188	Explorer.EXE	31
PID 1188 wrote to memory of 1972	1188	Explorer.EXE	31
PID 1188 wrote to memory of 1972	1188	Explorer.EXE	31
PID 1188 wrote to memory of 1972	1188	Explorer.EXE	31
PID 1972 wrote to memory of 2696	1972	control.exe	32
PID 1972 wrote to memory of 2696	1972	control.exe	32
PID 1972 wrote to memory of 2696	1972	control.exe	32
PID 1972 wrote to memory of 2696	1972	control.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\Current-value.exe
  "C:\Users\Admin\AppData\Local\Temp\Current-value.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\Current-value.exe
    "C:\Users\Admin\AppData\Local\Temp\Current-value.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Current-value.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4qjf8.dll

Filesize
11KB

MD5
f017a525c5109cf111948829b85b58cf

SHA1
a18a147258fb576eabd21fcdcdce5407d069fa7a

SHA256
8f78ffe74d0db1c327ed2dc2a76c07d0814ec2060b8f42c0c1cd32f631a4529f

SHA512
5d7a686b52614fb4327121f33ec27c2f0d171dfc694e1ee379cba22ec85a55d7982dd5ccdc99b38237fa0c9f1399e97a4b0a6c86220a021eda6aa1d055e88435

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB868.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/1188-17-0x0000000005300000-0x0000000005445000-memory.dmp

Filesize
1.3MB

Download
memory/1188-23-0x0000000005300000-0x0000000005445000-memory.dmp

Filesize
1.3MB

Download
memory/1952-12-0x0000000074380000-0x0000000074387000-memory.dmp

Filesize
28KB

Download
memory/1952-14-0x0000000074380000-0x0000000074387000-memory.dmp

Filesize
28KB

Download
memory/1972-21-0x00000000001F0000-0x000000000020F000-memory.dmp

Filesize
124KB

Download
memory/1972-20-0x00000000001F0000-0x000000000020F000-memory.dmp

Filesize
124KB

Download
memory/1972-22-0x00000000000D0000-0x00000000000F9000-memory.dmp

Filesize
164KB

Download
memory/2240-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2240-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download