xloader | 768f7b22ab2a7c43914ce865f49ac9300bf98a0e40b8c2af8fd5144241435570

General

Target

377f7b2c2c6adc9cbb464dbce216962a7c7f55ee2ca95a5e89020f4115abe744.exe
Size

340KB
MD5

19becff2f656ca71ab841ef21326e577
SHA1

d8558e5b66f691967699071138b3042ad5560895
SHA256

377f7b2c2c6adc9cbb464dbce216962a7c7f55ee2ca95a5e89020f4115abe744
SHA512

e959036d29c2e11945c92517d7505cb9d8a0d774cfffc9ea91797a74378912a0b75edb6afa278ef4ab6a43ea5f1c11b0f4ee708faecde64fa60928bd2ad20ba8
SSDEEP

6144:rGiNO66MLnlsoebXltYhzAlH9bun+JU6ks2VTD7+ylh1fC0oU:hO6D96tYGliAkdTDK41fjP

Score

10^/10

xloader jrbi discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

jrbi

Decoy

dellukclients.com

trackusppackage.info

xzycedu.com

mk-english.com

dailyromance.club

thegreat.store

mycollegemail.com

roshinimotordrivingschool.com

easonshen.com

herbaluntukkesehatan.com

kickonlines.com

xtrategit.com

antifiatsocial.club

boiyr.info

binodclassicalofficials.com

crescendomg.com

kengriffeyjrnft.com

creativenft.xyz

fusionwaxmelts.com

dgwb7.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/3020-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/3020-16-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2488-22-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

pid	Process
2192	rhirzqxzel.exe
3020	rhirzqxzel.exe

Loads dropped DLL 2 IoCs

pid	Process
2004	377f7b2c2c6adc9cbb464dbce216962a7c7f55ee2ca95a5e89020f4115abe744.exe
2192	rhirzqxzel.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2192 set thread context of 3020	2192	rhirzqxzel.exe	31
PID 3020 set thread context of 1344	3020	rhirzqxzel.exe	21
PID 2488 set thread context of 1344	2488	chkdsk.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chkdsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	377f7b2c2c6adc9cbb464dbce216962a7c7f55ee2ca95a5e89020f4115abe744.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhirzqxzel.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
3020	rhirzqxzel.exe
3020	rhirzqxzel.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe
2488	chkdsk.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3020	rhirzqxzel.exe
3020	rhirzqxzel.exe
3020	rhirzqxzel.exe
2488	chkdsk.exe
2488	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	rhirzqxzel.exe
Token: SeDebugPrivilege	2488	chkdsk.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2192	2004	377f7b2c2c6adc9cbb464dbce216962a7c7f55ee2ca95a5e89020f4115abe744.exe	30
PID 2004 wrote to memory of 2192	2004	377f7b2c2c6adc9cbb464dbce216962a7c7f55ee2ca95a5e89020f4115abe744.exe	30
PID 2004 wrote to memory of 2192	2004	377f7b2c2c6adc9cbb464dbce216962a7c7f55ee2ca95a5e89020f4115abe744.exe	30
PID 2004 wrote to memory of 2192	2004	377f7b2c2c6adc9cbb464dbce216962a7c7f55ee2ca95a5e89020f4115abe744.exe	30
PID 2192 wrote to memory of 3020	2192	rhirzqxzel.exe	31
PID 2192 wrote to memory of 3020	2192	rhirzqxzel.exe	31
PID 2192 wrote to memory of 3020	2192	rhirzqxzel.exe	31
PID 2192 wrote to memory of 3020	2192	rhirzqxzel.exe	31
PID 2192 wrote to memory of 3020	2192	rhirzqxzel.exe	31
PID 2192 wrote to memory of 3020	2192	rhirzqxzel.exe	31
PID 2192 wrote to memory of 3020	2192	rhirzqxzel.exe	31
PID 1344 wrote to memory of 2488	1344	Explorer.EXE	35
PID 1344 wrote to memory of 2488	1344	Explorer.EXE	35
PID 1344 wrote to memory of 2488	1344	Explorer.EXE	35
PID 1344 wrote to memory of 2488	1344	Explorer.EXE	35
PID 2488 wrote to memory of 2804	2488	chkdsk.exe	36
PID 2488 wrote to memory of 2804	2488	chkdsk.exe	36
PID 2488 wrote to memory of 2804	2488	chkdsk.exe	36
PID 2488 wrote to memory of 2804	2488	chkdsk.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\377f7b2c2c6adc9cbb464dbce216962a7c7f55ee2ca95a5e89020f4115abe744.exe
  "C:\Users\Admin\AppData\Local\Temp\377f7b2c2c6adc9cbb464dbce216962a7c7f55ee2ca95a5e89020f4115abe744.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\rhirzqxzel.exe
    C:\Users\Admin\AppData\Local\Temp\rhirzqxzel.exe C:\Users\Admin\AppData\Local\Temp\qenbldawg
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\rhirzqxzel.exe
      C:\Users\Admin\AppData\Local\Temp\rhirzqxzel.exe C:\Users\Admin\AppData\Local\Temp\qenbldawg
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:3020
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2896
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2776
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2596
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\rhirzqxzel.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\po6bh2ndceyluwoq3

Filesize
213KB

MD5
d3d11ce889f31bb798629123cb3f2e9e

SHA1
92ae026a3a9bb81fed4558f2b03938fdc61e9e66

SHA256
d017475ae0fe8888dce5384e5cb4668a26c5fb662a0e57595f91bbac8f50d5a4

SHA512
caed9575f7325159edb4a506f2fab0d0f5e21f1c2ab311a1070454853c2227a52a85a685db47b6a392771d3467967c514f7bdb064291db5cb523555c3b0777f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qenbldawg

Filesize
5KB

MD5
ad8296469a742dd29b322430856c5896

SHA1
7e35ad46bf09e8410d5c5ed9636952f4a0856a16

SHA256
6783af2d4c44db94721c12483cabc1cfe6ba184ce1186f04f4b44395d78ca57b

SHA512
65bc71fe0b7f3943b4319d21fa91751fe07afec5b7761a8375d8f43127a5d5f4a575d38618d920a199f359e2ca97b1656b0755d8f68dd3aad97f31b31812b353

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhirzqxzel.exe

Filesize
179KB

MD5
8eba063264c95a7a03ff814a0a52e290

SHA1
b4f369189f03b9226f5c7deec519f3d32add08a2

SHA256
77b2a7dfaf2070513e4ba93278e59bc90fb2c357ae6ecb04a4f5a220929d0753

SHA512
7dfb74454d19157f6659bdafedd179145140a7dd6f8bb74f0b8a4d00530306c9fd8ab72219e1731f0a5291ebeaa25612cb11b5a6b490697b39ad5c9dd1eea2f6

Download Submit
memory/1344-19-0x0000000004150000-0x000000000421C000-memory.dmp

Filesize
816KB

Download
memory/1344-18-0x0000000003760000-0x0000000003860000-memory.dmp

Filesize
1024KB

Download
memory/1344-23-0x0000000004150000-0x000000000421C000-memory.dmp

Filesize
816KB

Download
memory/2192-8-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/2488-20-0x00000000006D0000-0x00000000006D7000-memory.dmp

Filesize
28KB

Download
memory/2488-21-0x00000000006D0000-0x00000000006D7000-memory.dmp

Filesize
28KB

Download
memory/2488-22-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/3020-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3020-14-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/3020-17-0x00000000001D0000-0x00000000001E1000-memory.dmp

Filesize
68KB

Download
memory/3020-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing