xloader | 916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecde

General

Target

916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe
Size

307KB
MD5

28f2c3e63f1fd1357d2cfe72869b53c0
SHA1

173d8ff1943f864ea06ef27921ed0e5e2216666f
SHA256

916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecde
SHA512

c1fe8d6e948521b9d30e4275031b1ff2a2ffb4ff5bd1b0214e631cc4efe3e2613d3edd27c437329edce64f09c35721cc132604c9c2631f2c0269c7ad7a9d9994
SSDEEP

6144:RNeZbN827N5wptBh8EF6+ofNxn1g50EG8Y0lWNe7I+4auF9PX:RNONvJ+ptBCU6++gr86I+69PX

Score

10^/10

xloader op53 discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

op53

Decoy

salamdiab.com

pysznepay.com

braktonem.quest

z5jgazn.xyz

jungleking.online

for2play.com

organizedkay.com

bitsgifts.com

autobras.online

paghosting.net

waltersswholesale.com

seculardata.com

hsa-attorneys.com

genyuandl.com

metalcorpperu.com

jasbellyfusion.com

weddingtowifepodcast.com

69xibao.xyz

dsp-energe.com

jantfencingandsheds.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/3012-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/3012-16-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2740-21-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

pid	Process
2808	xuhsbsshb.exe
3012	xuhsbsshb.exe

Loads dropped DLL 2 IoCs

pid	Process
2692	916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe
2808	xuhsbsshb.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2808 set thread context of 3012	2808	xuhsbsshb.exe	31
PID 3012 set thread context of 1192	3012	xuhsbsshb.exe	21
PID 2740 set thread context of 1192	2740	control.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xuhsbsshb.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3012	xuhsbsshb.exe
3012	xuhsbsshb.exe
2740	control.exe
2740	control.exe
2740	control.exe
2740	control.exe
2740	control.exe
2740	control.exe
2740	control.exe
2740	control.exe
2740	control.exe
2740	control.exe
2740	control.exe
2740	control.exe
2740	control.exe
2740	control.exe
2740	control.exe
2740	control.exe
2740	control.exe
2740	control.exe
2740	control.exe
2740	control.exe
2740	control.exe
2740	control.exe
2740	control.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3012	xuhsbsshb.exe
3012	xuhsbsshb.exe
3012	xuhsbsshb.exe
2740	control.exe
2740	control.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	xuhsbsshb.exe
Token: SeDebugPrivilege	2740	control.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2808	2692	916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe	30
PID 2692 wrote to memory of 2808	2692	916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe	30
PID 2692 wrote to memory of 2808	2692	916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe	30
PID 2692 wrote to memory of 2808	2692	916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe	30
PID 2808 wrote to memory of 3012	2808	xuhsbsshb.exe	31
PID 2808 wrote to memory of 3012	2808	xuhsbsshb.exe	31
PID 2808 wrote to memory of 3012	2808	xuhsbsshb.exe	31
PID 2808 wrote to memory of 3012	2808	xuhsbsshb.exe	31
PID 2808 wrote to memory of 3012	2808	xuhsbsshb.exe	31
PID 2808 wrote to memory of 3012	2808	xuhsbsshb.exe	31
PID 2808 wrote to memory of 3012	2808	xuhsbsshb.exe	31
PID 1192 wrote to memory of 2740	1192	Explorer.EXE	32
PID 1192 wrote to memory of 2740	1192	Explorer.EXE	32
PID 1192 wrote to memory of 2740	1192	Explorer.EXE	32
PID 1192 wrote to memory of 2740	1192	Explorer.EXE	32
PID 2740 wrote to memory of 2584	2740	control.exe	33
PID 2740 wrote to memory of 2584	2740	control.exe	33
PID 2740 wrote to memory of 2584	2740	control.exe	33
PID 2740 wrote to memory of 2584	2740	control.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe
  "C:\Users\Admin\AppData\Local\Temp\916715cdd3cb9f6670424bd4f72682cdc4343d79fd36b19de992ee2c3095ecdeN.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\xuhsbsshb.exe
    C:\Users\Admin\AppData\Local\Temp\xuhsbsshb.exe C:\Users\Admin\AppData\Local\Temp\ukilojtrz
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\xuhsbsshb.exe
      C:\Users\Admin\AppData\Local\Temp\xuhsbsshb.exe C:\Users\Admin\AppData\Local\Temp\ukilojtrz
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:3012
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\xuhsbsshb.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0j9qjdm913vb7j0eyxt

Filesize
213KB

MD5
46ff5a0f2ac2424921fd161e8497dd6a

SHA1
0086ed96bc8f03dd77eba02e5669fe1c54f90d79

SHA256
e8ccd88569cf6f25118135c988a15b8deab2bb3789537182219c41a33b08654b

SHA512
dad931f448fa198e666ea3d39d7941b0a385f64c67a2a1a5533ae6f3a0b199b3cd47dd622d3029b7e338a1f2ede917db58b3d9eb481474e5e47566775c3756b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukilojtrz

Filesize
4KB

MD5
94cdc5fa8c30e1c1d361a4d7deb9b3ca

SHA1
c1c7316895f5aa5cd5b51ef876056dbcb0814632

SHA256
e6f2622adb08b89a002a501a6c6615291eec326f6233a57152545fa3afa2a856

SHA512
dc7edda3e1f9e4947c9da0f6f63ffe46865d2f9225e2cca36c2292b8710610da2417e1067fde99fffd110012965fe7eda75fc7f8e662edb3e4c0a8c387ef8d7c

Download Submit
\Users\Admin\AppData\Local\Temp\xuhsbsshb.exe

Filesize
4KB

MD5
daa39e25fb5b25bd1e42408efdac928f

SHA1
665426ddf94268322d180128a92ddb2f45b1d3b8

SHA256
7e5a0ec65f4c96a6b8de07c341282da8777fc45f4976e415f1738fa165d0a272

SHA512
42cae6cc93a923965a65b70c68a46e63246d5af0175cbf7e4fc33ecf8d5bd2ffc1395c4237411292136daf36ebf132567cfa2f6dc2a7ec7d33d482cee2cb4903

Download Submit
memory/1192-18-0x0000000007540000-0x00000000076AE000-memory.dmp

Filesize
1.4MB

Download
memory/1192-22-0x0000000007540000-0x00000000076AE000-memory.dmp

Filesize
1.4MB

Download
memory/2740-21-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2740-19-0x0000000000D60000-0x0000000000D7F000-memory.dmp

Filesize
124KB

Download
memory/2740-20-0x0000000000D60000-0x0000000000D7F000-memory.dmp

Filesize
124KB

Download
memory/2808-9-0x0000000000100000-0x0000000000102000-memory.dmp

Filesize
8KB

Download
memory/3012-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3012-17-0x0000000000190000-0x00000000001A1000-memory.dmp

Filesize
68KB

Download
memory/3012-14-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/3012-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing