xloader | ac00f76b8b9b7a4da749a85063b49c446b4b50e9837907c737a4675bcee43c3d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe
Size

4.4MB
MD5

57c89dd8d8ff1fd5192ce1c48c3acbd6
SHA1

c3a94aedc5fce3afdafe25ac648f3579e71cfaf3
SHA256

13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69
SHA512

bdb1017d539ebdaf39b921ce580d064bd5d148d53def3c0b6879b469e798b212b70e334026c33bf5418afd40a507becb0898df2848b17ec3c961bf2e8bc32479
SSDEEP

98304:l+/nt0ET4PHnq6UYWqq0e/m5Si4/lmBcRC3HnkSR5lxrA7SFqIG:g/Gd/UYIX+5SiWlUL39V67SF

Score

10^/10

xloader avc9 discovery loader persistence pyinstaller rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

avc9

Decoy

thejamalpur.com

oneofthemthere.com

instaleadsolutionsllc.com

dorchestercountyhomehunter.com

digirmbbank.com

taeheavyequipmentparts.xyz

topless.cloud

heatherhuntercoaching.com

pennysworld.net

auirz.xyz

conserfic.com

haroopet.com

perazabenefits.com

tuftmultimodal.com

quanlailai.com

revealsonwheels.com

rafaellaepedro.com

cowbex.info

cobject-studio.com

odp.xyz

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral2/files/0x0009000000023c36-18.dat	xloader
behavioral2/memory/2692-51-0x0000000000800000-0x0000000000829000-memory.dmp	xloader
behavioral2/memory/1164-55-0x0000000000A40000-0x0000000000A69000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe

Executes dropped EXE 3 IoCs

pid	Process
4992	Rzgidohumje.exe
2692	Cykcviuvopiuva.exe
1868	Rzgidohumje.exe

Loads dropped DLL 5 IoCs

pid	Process
1868	Rzgidohumje.exe
1868	Rzgidohumje.exe
1868	Rzgidohumje.exe
1868	Rzgidohumje.exe
1868	Rzgidohumje.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\%s = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Rzgidohumje.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2692 set thread context of 3508	2692	Cykcviuvopiuva.exe	56
PID 1164 set thread context of 3508	1164	systray.exe	56

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0009000000023c35-10.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cykcviuvopiuva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rzgidohumje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rzgidohumje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1556	reg.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2692	Cykcviuvopiuva.exe
2692	Cykcviuvopiuva.exe
2692	Cykcviuvopiuva.exe
2692	Cykcviuvopiuva.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe
1164	systray.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2692	Cykcviuvopiuva.exe
2692	Cykcviuvopiuva.exe
2692	Cykcviuvopiuva.exe
1164	systray.exe
1164	systray.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	Cykcviuvopiuva.exe
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeDebugPrivilege	1164	systray.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 4992	372	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe	84
PID 372 wrote to memory of 4992	372	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe	84
PID 372 wrote to memory of 4992	372	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe	84
PID 372 wrote to memory of 2692	372	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe	85
PID 372 wrote to memory of 2692	372	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe	85
PID 372 wrote to memory of 2692	372	13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe	85
PID 4992 wrote to memory of 1868	4992	Rzgidohumje.exe	86
PID 4992 wrote to memory of 1868	4992	Rzgidohumje.exe	86
PID 4992 wrote to memory of 1868	4992	Rzgidohumje.exe	86
PID 3508 wrote to memory of 1164	3508	Explorer.EXE	87
PID 3508 wrote to memory of 1164	3508	Explorer.EXE	87
PID 3508 wrote to memory of 1164	3508	Explorer.EXE	87
PID 1868 wrote to memory of 976	1868	Rzgidohumje.exe	88
PID 1868 wrote to memory of 976	1868	Rzgidohumje.exe	88
PID 1868 wrote to memory of 976	1868	Rzgidohumje.exe	88
PID 976 wrote to memory of 1556	976	cmd.exe	90
PID 976 wrote to memory of 1556	976	cmd.exe	90
PID 976 wrote to memory of 1556	976	cmd.exe	90
PID 1164 wrote to memory of 4720	1164	systray.exe	91
PID 1164 wrote to memory of 4720	1164	systray.exe	91
PID 1164 wrote to memory of 4720	1164	systray.exe	91

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Local\Temp\13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe
  "C:\Users\Admin\AppData\Local\Temp\13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Users\Admin\AppData\Local\Temp\Rzgidohumje.exe
    "C:\Users\Admin\AppData\Local\Temp\Rzgidohumje.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\Rzgidohumje.exe
      "C:\Users\Admin\AppData\Local\Temp\Rzgidohumje.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v %s /f /d ""C:\Users\Admin\AppData\Local\Temp\Rzgidohumje.exe"""
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:976
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v %s /f /d ""C:\Users\Admin\AppData\Local\Temp\Rzgidohumje.exe""
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1556
- - C:\Users\Admin\AppData\Local\Temp\Cykcviuvopiuva.exe
    "C:\Users\Admin\AppData\Local\Temp\Cykcviuvopiuva.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Cykcviuvopiuva.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cykcviuvopiuva.exe

Filesize
161KB

MD5
aae5f5da4b1a7820f9426ab944bf3323

SHA1
da9a63613806d54e1f15ad8629bfbffc3991d739

SHA256
224bcbd7f07ec093fe50f5a73934d19ac841d4839359a9696ac1da328189b72e

SHA512
e02bc0765e3a080c389a92482b9349e8130562357a1befcbc56a084c38441a0fa104128c966033e22fdfae3173a073a3d26f0a953cf9c2623daeb08c795b87c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rzgidohumje.exe

Filesize
4.4MB

MD5
da22720d73116b677cf8619da50c2a13

SHA1
dccd4234e25521e55921c6639f4fa464d5d4736a

SHA256
574c1c8a01562e3d993785599b0107bd5a8f5543936a395214d831d6975eed2d

SHA512
2f1dc9414701414411a8fe219964ea4a7781f0dfb5d946bfea136a8388522b5980b463d1e4c47038a4ed7bda56586012ce379ead9fc14e2b5ae01af5c43851d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_ctypes.pyd

Filesize
90KB

MD5
66c86a1d24b3f6c05a91001f0a17c17d

SHA1
40fc587d4bb555e4f988d63233cad3bc631c6562

SHA256
705fd4420dfda74ca11b728bf05cd32754e2a84edb3ab7ca8804188fc9da0bf3

SHA512
0d901e8d8fbd5d7d0ed8c3102e3b651d675f5b952812638a24147167bcc161b987749094f6656fce078f76634f4c40805c936bee99c919764e5ebde8d53a9d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_socket.pyd

Filesize
45KB

MD5
403dc390998a2145dcf8dd0d999a9cfb

SHA1
56962da139ab0c581fed5cff614613b8c981d5a5

SHA256
ab5fca1f32eb0cd344bebeeed2051736e8b3f70175a0d6778a6eb125cd6e2893

SHA512
46cf695748faed8573bc1d9924fb3332149618570dea6d5b9d4fe5c123e8bdbd3bbf8d0ad196d4731dbcd6af5cd01360fce918b6b4e0e16d7a74db49a20481f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\_ssl.pyd

Filesize
1.4MB

MD5
b4f3a7abd7101727bdf9c71c398b3a14

SHA1
db0b78d4ab8706e50fbefe4fdfa66d8c4e853096

SHA256
3b41ea4ef99ee665a8aa51b9e1839b44feab746df8e452a05ab5d5dc8b737158

SHA512
5069b9752f057f3e0044bd5e7837bc909d50c1726ef8577e1a50a4eaf4238aae54e3b73e8ba59ba4a66b7e4edd0e9a18e09394744faa04775a25cb43797ab393

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\bz2.pyd

Filesize
69KB

MD5
e0bd2966e0eb55d34a872eeba0c82d64

SHA1
4d15109c5696db3951aa021ece40e41420f311b3

SHA256
8fbef3b5deaed495a369054b5d2ca579ea967d73024e052fa127cf65c655b7ee

SHA512
1da36acaddb6022446c5607aba7047f6c7547c03ccd958490fdc83370ce7923650715b2edc244c35584ff951c9dfb1f90bc06543628f5c08078b1b01f75d6bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49922\python27.dll

Filesize
2.5MB

MD5
9c600ecd4158b400f010ee20305acdec

SHA1
4fe9062e68d2104c9a5ee7029cf44bce71a91d99

SHA256
359b601a940d231551aa5f138c803baa5c9eb5275db6b794adf64fbf399518b3

SHA512
1d91cd9027ec4cdbf298f5dede07464552d48bf9d8cc4bb0e70748af66846edfbc66a08706dc34a0873855c99a715c3281d785e179c413b4736fb220fc85ef42

Download Submit
memory/372-37-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/372-4-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/372-2-0x0000000004EF0000-0x0000000005494000-memory.dmp

Filesize
5.6MB

Download
memory/372-1-0x0000000000400000-0x000000000086A000-memory.dmp

Filesize
4.4MB

Download
memory/372-3-0x0000000004DB0000-0x0000000004E42000-memory.dmp

Filesize
584KB

Download
memory/372-0-0x000000007503E000-0x000000007503F000-memory.dmp

Filesize
4KB

Download
memory/372-5-0x00000000054C0000-0x00000000054CA000-memory.dmp

Filesize
40KB

Download
memory/1164-55-0x0000000000A40000-0x0000000000A69000-memory.dmp

Filesize
164KB

Download
memory/1164-53-0x00000000000F0000-0x00000000000F6000-memory.dmp

Filesize
24KB

Download
memory/1164-54-0x00000000000F0000-0x00000000000F6000-memory.dmp

Filesize
24KB

Download
memory/2692-40-0x0000000000E40000-0x000000000118A000-memory.dmp

Filesize
3.3MB

Download
memory/2692-51-0x0000000000800000-0x0000000000829000-memory.dmp

Filesize
164KB

Download
memory/2692-50-0x000000000081D000-0x000000000081E000-memory.dmp

Filesize
4KB

Download
memory/3508-52-0x0000000007F40000-0x000000000804F000-memory.dmp

Filesize
1.1MB

Download
memory/3508-56-0x0000000007F40000-0x000000000804F000-memory.dmp

Filesize
1.1MB

Download
memory/3508-60-0x00000000025B0000-0x0000000002653000-memory.dmp

Filesize
652KB

Download