xloader | e9f7cfd8b9d74705231e5f33e572447688fb8973a26db1c8b608872117ee3e18

General

Target

e9f7cfd8b9d74705231e5f33e572447688fb8973a26db1c8b608872117ee3e18N.exe
Size

425KB
MD5

9e3e2b8f340761fd7f3630a5d6b1e340
SHA1

412eb58ce7d49774bc23ab59a29609ac934b3f88
SHA256

e9f7cfd8b9d74705231e5f33e572447688fb8973a26db1c8b608872117ee3e18
SHA512

85dcb2079a0906fbb6f9dbef556638e55ce4f619d4830083f2de558c7f5f9ef4c61c57f47f31712f4f21bf2487fcf604889425da3c7872686a53cb2b43df4eac
SSDEEP

12288:oNe9Z6Vh5xgJbZ3HxORkEE8T+BFd5kYhbua2TbxKzQkYI:oNOZ663HxqkEYBhk2UbaQkYI

Score

10^/10

xloader s2q8 discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

s2q8

Decoy

zenithcrushers.net

jeffreysfranchise.store

unavidaparaserfeliz.com

notvaccinatedjobs.com

jisakuzushi.com

demeet.xyz

immersioneconme.online

powercable.xyz

mingwwww.store

analystaide.com

ajfotografie.com

mothersmilktn.com

judithlisachomes.com

simplythaliachicago.com

goetzerehnstiftung.net

nowsportslive.online

hallowseason.com

triple16.com

grupomalucelli.com

fdtwr.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2252-14-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral1/memory/2252-16-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral1/memory/2260-22-0x0000000000070000-0x000000000009A000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

pid	Process
1872	cpjkhm.exe
2252	cpjkhm.exe

Loads dropped DLL 2 IoCs

pid	Process
2328	e9f7cfd8b9d74705231e5f33e572447688fb8973a26db1c8b608872117ee3e18N.exe
1872	cpjkhm.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1872 set thread context of 2252	1872	cpjkhm.exe	31
PID 2252 set thread context of 1128	2252	cpjkhm.exe	20
PID 2260 set thread context of 1128	2260	cscript.exe	20

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9f7cfd8b9d74705231e5f33e572447688fb8973a26db1c8b608872117ee3e18N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cpjkhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2252	cpjkhm.exe
2252	cpjkhm.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe
2260	cscript.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2252	cpjkhm.exe
2252	cpjkhm.exe
2252	cpjkhm.exe
2260	cscript.exe
2260	cscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	cpjkhm.exe
Token: SeDebugPrivilege	2260	cscript.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1872	2328	e9f7cfd8b9d74705231e5f33e572447688fb8973a26db1c8b608872117ee3e18N.exe	30
PID 2328 wrote to memory of 1872	2328	e9f7cfd8b9d74705231e5f33e572447688fb8973a26db1c8b608872117ee3e18N.exe	30
PID 2328 wrote to memory of 1872	2328	e9f7cfd8b9d74705231e5f33e572447688fb8973a26db1c8b608872117ee3e18N.exe	30
PID 2328 wrote to memory of 1872	2328	e9f7cfd8b9d74705231e5f33e572447688fb8973a26db1c8b608872117ee3e18N.exe	30
PID 1872 wrote to memory of 2252	1872	cpjkhm.exe	31
PID 1872 wrote to memory of 2252	1872	cpjkhm.exe	31
PID 1872 wrote to memory of 2252	1872	cpjkhm.exe	31
PID 1872 wrote to memory of 2252	1872	cpjkhm.exe	31
PID 1872 wrote to memory of 2252	1872	cpjkhm.exe	31
PID 1872 wrote to memory of 2252	1872	cpjkhm.exe	31
PID 1872 wrote to memory of 2252	1872	cpjkhm.exe	31
PID 1128 wrote to memory of 2260	1128	Explorer.EXE	32
PID 1128 wrote to memory of 2260	1128	Explorer.EXE	32
PID 1128 wrote to memory of 2260	1128	Explorer.EXE	32
PID 1128 wrote to memory of 2260	1128	Explorer.EXE	32
PID 2260 wrote to memory of 1532	2260	cscript.exe	33
PID 2260 wrote to memory of 1532	2260	cscript.exe	33
PID 2260 wrote to memory of 1532	2260	cscript.exe	33
PID 2260 wrote to memory of 1532	2260	cscript.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\e9f7cfd8b9d74705231e5f33e572447688fb8973a26db1c8b608872117ee3e18N.exe
  "C:\Users\Admin\AppData\Local\Temp\e9f7cfd8b9d74705231e5f33e572447688fb8973a26db1c8b608872117ee3e18N.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\cpjkhm.exe
    C:\Users\Admin\AppData\Local\Temp\cpjkhm.exe C:\Users\Admin\AppData\Local\Temp\rsrpwoa
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Users\Admin\AppData\Local\Temp\cpjkhm.exe
      C:\Users\Admin\AppData\Local\Temp\cpjkhm.exe C:\Users\Admin\AppData\Local\Temp\rsrpwoa
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2252
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\cpjkhm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\43tamsc4ul0czb3zcwio

Filesize
164KB

MD5
443aa56a81564e582bd77f49e097ec1d

SHA1
499b8d829bd4039cdbcfbc460721a960dddbc331

SHA256
2b20bdb5ba885f7048423ba5101a8ba25572edc83b47bf9a91e4759289e7203e

SHA512
9006d9f9924e40f3750e7c57fb5b877608ea8e64604430052fa0c996de15bf290b7425a317d93d95e66a2bd4e8f00561620d8eaffca04e2400010e25f2e773c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsrpwoa

Filesize
5KB

MD5
b1eb9cee4d231da2b61529d7d08e1462

SHA1
a5899d003c42eb8217bf3ef0c6e5795817ee601b

SHA256
f819a228776b0f2f3b5842b4bd88ab443c7fb653e0ff956f4901d684d3bbe8c3

SHA512
8190ae6716d0aa64af9f44990faaee1b7c27fc8881006dcd43a02de03a93f21ddf7757084c601b4cf450e2e61d7e714283e8be23f4d0ff533b5a913800078f7f

Download Submit
\Users\Admin\AppData\Local\Temp\cpjkhm.exe

Filesize
4KB

MD5
c910a97bac72a537aa24144427c69290

SHA1
98382514ee34de89bdf8da5e0c136c5d0cb4097a

SHA256
4921031a6f9c7d20fe0a849eee9f16d792733fd34f32b346ac43098421093c43

SHA512
2440c8fa743ba50b3ed973fb514e5a636a0aad82fafa48415e840df18f44d6553d450edad7cb417623288b883ea6316fbe40a567bc7e3ca85035b9b03740bc1d

Download Submit
memory/1128-17-0x0000000006210000-0x0000000006358000-memory.dmp

Filesize
1.3MB

Download
memory/1128-23-0x0000000006210000-0x0000000006358000-memory.dmp

Filesize
1.3MB

Download
memory/1872-9-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2252-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2252-16-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2260-21-0x0000000000300000-0x0000000000322000-memory.dmp

Filesize
136KB

Download
memory/2260-20-0x0000000000300000-0x0000000000322000-memory.dmp

Filesize
136KB

Download
memory/2260-22-0x0000000000070000-0x000000000009A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing