xloader | 1ffc202c964a238fb1ea99a22a264d49953dd6c9511932f5377cf04116ffd773

General

Target

c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487.exe
Size

304KB
MD5

d5949e2ad723b184d5622ce746b0177b
SHA1

10f1ec8f4a1ce70546a4ca25965b606ea2bc20ae
SHA256

c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487
SHA512

9a98a61a1c4f9a072ca9a809c6d582afd02826a449cfbdf58422b0e5dd7886acad515eae1a575e1097e8445eddc9d648592b62ea3560c51f008a235a1b0fa6c2
SSDEEP

6144:RNeZ2KnbGYu/gc3BOsNExg7ncENT33uRh9Y/qAMJJdLZ+cb4YO:RNpKnyXgcxOsNEEcENT33uNIqbJB4cbW

Score

10^/10

xloader mwfc discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mwfc

Decoy

a-great-intl-voip-phones.zone

police-trust-security.com

415391.com

coi-sl.com

liming-steel.com

criticalracetheoryexplained.com

pintoent.com

columbusrx.com

clarktribe.net

texasforblanchard.com

musical.voyage

priyamblogs.com

employbridge.works

americanchessmaster.com

australiaaddictioncenters.com

drkell-yann.xyz

barryisdaner.com

frankkystein.art

aromatoto7.com

alsuwal.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2364-17-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2364-19-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2100-25-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

pid	Process
1648	oryvzibei.exe
2364	oryvzibei.exe

Loads dropped DLL 3 IoCs

pid	Process
2528	c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487.exe
2528	c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487.exe
1648	oryvzibei.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1648 set thread context of 2364	1648	oryvzibei.exe	32
PID 2364 set thread context of 1176	2364	oryvzibei.exe	21
PID 2100 set thread context of 1176	2100	NETSTAT.EXE	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oryvzibei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2100	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2364	oryvzibei.exe
2364	oryvzibei.exe
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE
2100	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2364	oryvzibei.exe
2364	oryvzibei.exe
2364	oryvzibei.exe
2100	NETSTAT.EXE
2100	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	oryvzibei.exe
Token: SeDebugPrivilege	2100	NETSTAT.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 1648	2528	c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487.exe	31
PID 2528 wrote to memory of 1648	2528	c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487.exe	31
PID 2528 wrote to memory of 1648	2528	c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487.exe	31
PID 2528 wrote to memory of 1648	2528	c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487.exe	31
PID 1648 wrote to memory of 2364	1648	oryvzibei.exe	32
PID 1648 wrote to memory of 2364	1648	oryvzibei.exe	32
PID 1648 wrote to memory of 2364	1648	oryvzibei.exe	32
PID 1648 wrote to memory of 2364	1648	oryvzibei.exe	32
PID 1648 wrote to memory of 2364	1648	oryvzibei.exe	32
PID 1648 wrote to memory of 2364	1648	oryvzibei.exe	32
PID 1648 wrote to memory of 2364	1648	oryvzibei.exe	32
PID 1176 wrote to memory of 2100	1176	Explorer.EXE	33
PID 1176 wrote to memory of 2100	1176	Explorer.EXE	33
PID 1176 wrote to memory of 2100	1176	Explorer.EXE	33
PID 1176 wrote to memory of 2100	1176	Explorer.EXE	33
PID 2100 wrote to memory of 2824	2100	NETSTAT.EXE	34
PID 2100 wrote to memory of 2824	2100	NETSTAT.EXE	34
PID 2100 wrote to memory of 2824	2100	NETSTAT.EXE	34
PID 2100 wrote to memory of 2824	2100	NETSTAT.EXE	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487.exe
  "C:\Users\Admin\AppData\Local\Temp\c34886d629b199ebcda6f6fef7fcbf5f48ba3153c6789708639b0c37d4ac5487.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\oryvzibei.exe
    C:\Users\Admin\AppData\Local\Temp\oryvzibei.exe C:\Users\Admin\AppData\Local\Temp\odifjvp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\oryvzibei.exe
      C:\Users\Admin\AppData\Local\Temp\oryvzibei.exe C:\Users\Admin\AppData\Local\Temp\odifjvp
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2364
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\oryvzibei.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\odifjvp

Filesize
4KB

MD5
bb1182030e05f8a3c49279a7886ef96c

SHA1
aeb622a2f719c27ebc716bee887b8b5ccaeed89e

SHA256
d6a52a2e8f8aabb812f26cbb77e8390a8fa4a1304dbfffedd1c641d3c086a53f

SHA512
a1b7c11d0b7eb7c5a84406a77ba07833abc925ae2e444e92c9a42558c6b3c80cddaf649dcba4329a19c9a1584b929de0706f7a57744f25c03885d0306e06d947

Download Submit
C:\Users\Admin\AppData\Local\Temp\q8h6hoagwqe

Filesize
210KB

MD5
c73396de899e9b6993217511b2b5e7cb

SHA1
8d7d0831a5cbfe70f91fc1d987cd2de806b8f72c

SHA256
fb95f337130d5653a230b63f2d7d3ca3148cc1ca74274f90e031904bb1cc2a19

SHA512
2a014ed6e834f812d3f0228fbc879871ffa51003ffb8adc1c8639ba8e2ee42a5551cee567379307106bf183b5ed5a5b6a15352327579b5ee15106da4fe4bdb1e

Download Submit
\Users\Admin\AppData\Local\Temp\oryvzibei.exe

Filesize
4KB

MD5
0361a9f359f0e790728f7233f15a24ba

SHA1
316941b24d00b64baf38a76e3a44596a6bdbef37

SHA256
60b3f54da2275f4e7062a18ad72b413db3826d00170a859ec533fb1328758594

SHA512
40bb782aff60a54a88a0d0424a6636e6d738f500b491713547c8dc43e69360ab002cb644325537e3eebacc78be654f211c93467f6fcedb603572e2ceb20ec128

Download Submit
memory/1176-20-0x0000000006B90000-0x0000000006C9A000-memory.dmp

Filesize
1.0MB

Download
memory/1176-26-0x0000000006B90000-0x0000000006C9A000-memory.dmp

Filesize
1.0MB

Download
memory/1648-12-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2100-23-0x0000000000E60000-0x0000000000E69000-memory.dmp

Filesize
36KB

Download
memory/2100-24-0x0000000000E60000-0x0000000000E69000-memory.dmp

Filesize
36KB

Download
memory/2100-25-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2364-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2364-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing