xloader | 55bcf26a637c6331d509550c43cfcf66adcd29146db0f901f12c7639f69fab75

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55bcf26a637c6331d509550c43cfcf66adcd29146db0f901f12c7639f69fab75.exe
Size

780KB
MD5

62bbb998a6516eb7756f9651f7926057
SHA1

6c55a0321b069000de946d77cf36e9915a047567
SHA256

55bcf26a637c6331d509550c43cfcf66adcd29146db0f901f12c7639f69fab75
SHA512

f563c5af3f0bd54658573a9f35bc26f019e633ee237d01e8959e8b5f6dbe65f633b5275644b4edc70be96791ecdf918dc692b2db45a0e17fda54aa6dda423e6a
SSDEEP

12288:lZ8SxrEJgYYz0R2iNmQQoHjSqo9TVYxy0MIZsvIYr8Xa47pIOrgEw7UB4unbRoyw:wSxr9C1oQQ4wjaZsvIC8XDtxw7DGGy1

Score

10^/10

xloader rzwo discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

rzwo

Decoy

1metroband.com

erobal.com

zzyykx.com

chamallino.com

ehrlichforjustice.com

fzshangmao.net

bulkprices.info

schlafen.xyz

footspan.com

jano5tau.xyz

ukrainianwriters.com

clf010.com

kgvf.email

matura-natural.com

life23.club

yuanxuhuafu.com

autism-101.com

lithiumhexafluorophosphate.net

ducer.info

tender.guru

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2640-15-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1800 set thread context of 2640	1800	55bcf26a637c6331d509550c43cfcf66adcd29146db0f901f12c7639f69fab75.exe	31

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55bcf26a637c6331d509550c43cfcf66adcd29146db0f901f12c7639f69fab75.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2640	55bcf26a637c6331d509550c43cfcf66adcd29146db0f901f12c7639f69fab75.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2640	1800	55bcf26a637c6331d509550c43cfcf66adcd29146db0f901f12c7639f69fab75.exe	31
PID 1800 wrote to memory of 2640	1800	55bcf26a637c6331d509550c43cfcf66adcd29146db0f901f12c7639f69fab75.exe	31
PID 1800 wrote to memory of 2640	1800	55bcf26a637c6331d509550c43cfcf66adcd29146db0f901f12c7639f69fab75.exe	31
PID 1800 wrote to memory of 2640	1800	55bcf26a637c6331d509550c43cfcf66adcd29146db0f901f12c7639f69fab75.exe	31
PID 1800 wrote to memory of 2640	1800	55bcf26a637c6331d509550c43cfcf66adcd29146db0f901f12c7639f69fab75.exe	31
PID 1800 wrote to memory of 2640	1800	55bcf26a637c6331d509550c43cfcf66adcd29146db0f901f12c7639f69fab75.exe	31
PID 1800 wrote to memory of 2640	1800	55bcf26a637c6331d509550c43cfcf66adcd29146db0f901f12c7639f69fab75.exe	31

C:\Users\Admin\AppData\Local\Temp\55bcf26a637c6331d509550c43cfcf66adcd29146db0f901f12c7639f69fab75.exe
"C:\Users\Admin\AppData\Local\Temp\55bcf26a637c6331d509550c43cfcf66adcd29146db0f901f12c7639f69fab75.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\55bcf26a637c6331d509550c43cfcf66adcd29146db0f901f12c7639f69fab75.exe
  "C:\Users\Admin\AppData\Local\Temp\55bcf26a637c6331d509550c43cfcf66adcd29146db0f901f12c7639f69fab75.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1800-6-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/1800-8-0x0000000000730000-0x0000000000760000-memory.dmp

Filesize
192KB

Download
memory/1800-2-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/1800-3-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/1800-4-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/1800-5-0x000000007426E000-0x000000007426F000-memory.dmp

Filesize
4KB

Download
memory/1800-1-0x0000000001360000-0x000000000142A000-memory.dmp

Filesize
808KB

Download
memory/1800-7-0x0000000005210000-0x00000000052C0000-memory.dmp

Filesize
704KB

Download
memory/1800-0-0x000000007426E000-0x000000007426F000-memory.dmp

Filesize
4KB

Download
memory/1800-16-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2640-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2640-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2640-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2640-17-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download