xloader | ac00f76b8b9b7a4da749a85063b49c446b4b50e9837907c737a4675bcee43c3d

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe
Size

4.4MB
MD5

57c89dd8d8ff1fd5192ce1c48c3acbd6
SHA1

c3a94aedc5fce3afdafe25ac648f3579e71cfaf3
SHA256

13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69
SHA512

bdb1017d539ebdaf39b921ce580d064bd5d148d53def3c0b6879b469e798b212b70e334026c33bf5418afd40a507becb0898df2848b17ec3c961bf2e8bc32479
SSDEEP

98304:l+/nt0ET4PHnq6UYWqq0e/m5Si4/lmBcRC3HnkSR5lxrA7SFqIG:g/Gd/UYIX+5SiWlUL39V67SF

Score

10^/10

xloader avc9 discovery loader persistence pyinstaller rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

avc9

Decoy

thejamalpur.com

oneofthemthere.com

instaleadsolutionsllc.com

dorchestercountyhomehunter.com

digirmbbank.com

taeheavyequipmentparts.xyz

topless.cloud

heatherhuntercoaching.com

pennysworld.net

auirz.xyz

conserfic.com

haroopet.com

perazabenefits.com

tuftmultimodal.com

quanlailai.com

revealsonwheels.com

rafaellaepedro.com

cowbex.info

cobject-studio.com

odp.xyz

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000014c23-16.dat	xloader
behavioral1/memory/2640-54-0x0000000000100000-0x0000000000129000-memory.dmp	xloader
behavioral1/memory/2612-58-0x00000000000C0000-0x00000000000E9000-memory.dmp	xloader

Executes dropped EXE 3 IoCs

pid	Process
2964	Rzgidohumje.exe
2640	Cykcviuvopiuva.exe
2144	Rzgidohumje.exe

Loads dropped DLL 11 IoCs

pid	Process
1044	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe
1044	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe
1044	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe
1044	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe
2964	Rzgidohumje.exe
2144	Rzgidohumje.exe
2144	Rzgidohumje.exe
2144	Rzgidohumje.exe
2144	Rzgidohumje.exe
2144	Rzgidohumje.exe
2144	Rzgidohumje.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\%s = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Rzgidohumje.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2640 set thread context of 1212	2640	Cykcviuvopiuva.exe	21
PID 2612 set thread context of 1212	2612	systray.exe	21

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0008000000014bda-5.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rzgidohumje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rzgidohumje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2516	reg.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2640	Cykcviuvopiuva.exe
2640	Cykcviuvopiuva.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe
2612	systray.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2640	Cykcviuvopiuva.exe
2640	Cykcviuvopiuva.exe
2640	Cykcviuvopiuva.exe
2612	systray.exe
2612	systray.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	Cykcviuvopiuva.exe
Token: SeDebugPrivilege	2612	systray.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2964	1044	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe	28
PID 1044 wrote to memory of 2964	1044	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe	28
PID 1044 wrote to memory of 2964	1044	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe	28
PID 1044 wrote to memory of 2964	1044	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe	28
PID 1044 wrote to memory of 2640	1044	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe	29
PID 1044 wrote to memory of 2640	1044	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe	29
PID 1044 wrote to memory of 2640	1044	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe	29
PID 1044 wrote to memory of 2640	1044	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe	29
PID 2964 wrote to memory of 2144	2964	Rzgidohumje.exe	30
PID 2964 wrote to memory of 2144	2964	Rzgidohumje.exe	30
PID 2964 wrote to memory of 2144	2964	Rzgidohumje.exe	30
PID 2964 wrote to memory of 2144	2964	Rzgidohumje.exe	30
PID 2144 wrote to memory of 2700	2144	Rzgidohumje.exe	31
PID 2144 wrote to memory of 2700	2144	Rzgidohumje.exe	31
PID 2144 wrote to memory of 2700	2144	Rzgidohumje.exe	31
PID 2144 wrote to memory of 2700	2144	Rzgidohumje.exe	31
PID 1212 wrote to memory of 2612	1212	Explorer.EXE	33
PID 1212 wrote to memory of 2612	1212	Explorer.EXE	33
PID 1212 wrote to memory of 2612	1212	Explorer.EXE	33
PID 1212 wrote to memory of 2612	1212	Explorer.EXE	33
PID 2700 wrote to memory of 2516	2700	cmd.exe	34
PID 2700 wrote to memory of 2516	2700	cmd.exe	34
PID 2700 wrote to memory of 2516	2700	cmd.exe	34
PID 2700 wrote to memory of 2516	2700	cmd.exe	34
PID 2612 wrote to memory of 2784	2612	systray.exe	35
PID 2612 wrote to memory of 2784	2612	systray.exe	35
PID 2612 wrote to memory of 2784	2612	systray.exe	35
PID 2612 wrote to memory of 2784	2612	systray.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe
  "C:\Users\Admin\AppData\Local\Temp\13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Users\Admin\AppData\Local\Temp\Rzgidohumje.exe
    "C:\Users\Admin\AppData\Local\Temp\Rzgidohumje.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\Rzgidohumje.exe
      "C:\Users\Admin\AppData\Local\Temp\Rzgidohumje.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v %s /f /d ""C:\Users\Admin\AppData\Local\Temp\Rzgidohumje.exe"""
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v %s /f /d ""C:\Users\Admin\AppData\Local\Temp\Rzgidohumje.exe""
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2516
- - C:\Users\Admin\AppData\Local\Temp\Cykcviuvopiuva.exe
    "C:\Users\Admin\AppData\Local\Temp\Cykcviuvopiuva.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Cykcviuvopiuva.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI29642\python27.dll

Filesize
2.5MB

MD5
9c600ecd4158b400f010ee20305acdec

SHA1
4fe9062e68d2104c9a5ee7029cf44bce71a91d99

SHA256
359b601a940d231551aa5f138c803baa5c9eb5275db6b794adf64fbf399518b3

SHA512
1d91cd9027ec4cdbf298f5dede07464552d48bf9d8cc4bb0e70748af66846edfbc66a08706dc34a0873855c99a715c3281d785e179c413b4736fb220fc85ef42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29~1\_socket.pyd

Filesize
45KB

MD5
403dc390998a2145dcf8dd0d999a9cfb

SHA1
56962da139ab0c581fed5cff614613b8c981d5a5

SHA256
ab5fca1f32eb0cd344bebeeed2051736e8b3f70175a0d6778a6eb125cd6e2893

SHA512
46cf695748faed8573bc1d9924fb3332149618570dea6d5b9d4fe5c123e8bdbd3bbf8d0ad196d4731dbcd6af5cd01360fce918b6b4e0e16d7a74db49a20481f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29~1\_ssl.pyd

Filesize
1.4MB

MD5
b4f3a7abd7101727bdf9c71c398b3a14

SHA1
db0b78d4ab8706e50fbefe4fdfa66d8c4e853096

SHA256
3b41ea4ef99ee665a8aa51b9e1839b44feab746df8e452a05ab5d5dc8b737158

SHA512
5069b9752f057f3e0044bd5e7837bc909d50c1726ef8577e1a50a4eaf4238aae54e3b73e8ba59ba4a66b7e4edd0e9a18e09394744faa04775a25cb43797ab393

Download Submit
\Users\Admin\AppData\Local\Temp\Cykcviuvopiuva.exe

Filesize
161KB

MD5
aae5f5da4b1a7820f9426ab944bf3323

SHA1
da9a63613806d54e1f15ad8629bfbffc3991d739

SHA256
224bcbd7f07ec093fe50f5a73934d19ac841d4839359a9696ac1da328189b72e

SHA512
e02bc0765e3a080c389a92482b9349e8130562357a1befcbc56a084c38441a0fa104128c966033e22fdfae3173a073a3d26f0a953cf9c2623daeb08c795b87c3

Download Submit
\Users\Admin\AppData\Local\Temp\Rzgidohumje.exe

Filesize
4.4MB

MD5
da22720d73116b677cf8619da50c2a13

SHA1
dccd4234e25521e55921c6639f4fa464d5d4736a

SHA256
574c1c8a01562e3d993785599b0107bd5a8f5543936a395214d831d6975eed2d

SHA512
2f1dc9414701414411a8fe219964ea4a7781f0dfb5d946bfea136a8388522b5980b463d1e4c47038a4ed7bda56586012ce379ead9fc14e2b5ae01af5c43851d4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29642\msvcr90.dll

Filesize
638KB

MD5
1b5c42a4e92703d7f1c85b6d0b8f1c34

SHA1
fa72d425737e19e1b51e6ebb57865ec38e51b5b7

SHA256
2e13fa6feaa89396a67fb0c1c32924d2019236d34b6f97cf13287cc7d7395149

SHA512
feffde9a026fda2618b3a6a3a6f5d2f7046d8969ba8a907a361c669e0054717be58455f48675dab4ea0b5db2195d794ae37bb3dec8cd37f2cd0d6d07c822de48

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29~1\_ctypes.pyd

Filesize
90KB

MD5
66c86a1d24b3f6c05a91001f0a17c17d

SHA1
40fc587d4bb555e4f988d63233cad3bc631c6562

SHA256
705fd4420dfda74ca11b728bf05cd32754e2a84edb3ab7ca8804188fc9da0bf3

SHA512
0d901e8d8fbd5d7d0ed8c3102e3b651d675f5b952812638a24147167bcc161b987749094f6656fce078f76634f4c40805c936bee99c919764e5ebde8d53a9d25

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29~1\bz2.pyd

Filesize
69KB

MD5
e0bd2966e0eb55d34a872eeba0c82d64

SHA1
4d15109c5696db3951aa021ece40e41420f311b3

SHA256
8fbef3b5deaed495a369054b5d2ca579ea967d73024e052fa127cf65c655b7ee

SHA512
1da36acaddb6022446c5607aba7047f6c7547c03ccd958490fdc83370ce7923650715b2edc244c35584ff951c9dfb1f90bc06543628f5c08078b1b01f75d6bcd

Download Submit
memory/1044-38-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/1044-0-0x00000000740EE000-0x00000000740EF000-memory.dmp

Filesize
4KB

Download
memory/1044-2-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/1044-1-0x0000000000400000-0x000000000086A000-memory.dmp

Filesize
4.4MB

Download
memory/1212-52-0x0000000003080000-0x0000000003180000-memory.dmp

Filesize
1024KB

Download
memory/1212-55-0x0000000007420000-0x00000000075B8000-memory.dmp

Filesize
1.6MB

Download
memory/2612-56-0x00000000005D0000-0x00000000005D5000-memory.dmp

Filesize
20KB

Download
memory/2612-58-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/2640-53-0x000000000011D000-0x000000000011E000-memory.dmp

Filesize
4KB

Download
memory/2640-54-0x0000000000100000-0x0000000000129000-memory.dmp

Filesize
164KB

Download
memory/2640-46-0x0000000000980000-0x0000000000C83000-memory.dmp

Filesize
3.0MB

Download