xloader | 136985f3f221620819fd04eda2a931f34e9e6a66ed8d63495c6f76155edd9b75

General

Target

97ea9eb9abdc300ce758c07ef0a31854be8342969bcacfc458e642540b63d63a.exe
Size

251KB
MD5

97206e8b31ee16ef3d47eab75ba0c9d5
SHA1

c152b70ac2a5a2fbdd38439eeab9b432339dc381
SHA256

97ea9eb9abdc300ce758c07ef0a31854be8342969bcacfc458e642540b63d63a
SHA512

66b88c23d5168341299f0758bb06763f09d1ede5d8fe6cb7f397676f681fe5e233a87815cf5eef2bba3b6c6eaf4f5cb066bec1675b34f97745932a6fa31227af
SSDEEP

3072:B1NjcVVnLpPunbR73LSVVcFeqcL+ztw9jtAXFUOpJ4BEeT6d9Eh7Q7Ql6stCEuhX:bNeZmxNtcLkw01FuBFW9i7sQ8uTxPoRz

Score

10^/10

xloader r0ku discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

r0ku

Decoy

profit-fx.com

anyclosings.com

genomepowered.com

it-brainpool.com

industriaselreynino.com

theballaratshop.com

niseysway.com

carpesntertechnology.com

newbalancegirls.xyz

stylishwearz.com

duiqn.icu

amaltheaklinikken.com

romecovidsummit.net

jsyysn.com

uctwifi.net

girlshustle.com

xn--vp-xka.com

mypatinacare.com

immobilienmaklerinspanien.info

worldqkqk.xyz

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2852-14-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2852-17-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2768-23-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

pid	Process
2352	glmvoahjy.exe
2852	glmvoahjy.exe

Loads dropped DLL 2 IoCs

pid	Process
2960	97ea9eb9abdc300ce758c07ef0a31854be8342969bcacfc458e642540b63d63a.exe
2352	glmvoahjy.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2352 set thread context of 2852	2352	glmvoahjy.exe	31
PID 2852 set thread context of 1252	2852	glmvoahjy.exe	21
PID 2768 set thread context of 1252	2768	cmmon32.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97ea9eb9abdc300ce758c07ef0a31854be8342969bcacfc458e642540b63d63a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	glmvoahjy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmmon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2852	glmvoahjy.exe
2852	glmvoahjy.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe
2768	cmmon32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2852	glmvoahjy.exe
2852	glmvoahjy.exe
2852	glmvoahjy.exe
2768	cmmon32.exe
2768	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	glmvoahjy.exe
Token: SeDebugPrivilege	2768	cmmon32.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2352	2960	97ea9eb9abdc300ce758c07ef0a31854be8342969bcacfc458e642540b63d63a.exe	30
PID 2960 wrote to memory of 2352	2960	97ea9eb9abdc300ce758c07ef0a31854be8342969bcacfc458e642540b63d63a.exe	30
PID 2960 wrote to memory of 2352	2960	97ea9eb9abdc300ce758c07ef0a31854be8342969bcacfc458e642540b63d63a.exe	30
PID 2960 wrote to memory of 2352	2960	97ea9eb9abdc300ce758c07ef0a31854be8342969bcacfc458e642540b63d63a.exe	30
PID 2352 wrote to memory of 2852	2352	glmvoahjy.exe	31
PID 2352 wrote to memory of 2852	2352	glmvoahjy.exe	31
PID 2352 wrote to memory of 2852	2352	glmvoahjy.exe	31
PID 2352 wrote to memory of 2852	2352	glmvoahjy.exe	31
PID 2352 wrote to memory of 2852	2352	glmvoahjy.exe	31
PID 2352 wrote to memory of 2852	2352	glmvoahjy.exe	31
PID 2352 wrote to memory of 2852	2352	glmvoahjy.exe	31
PID 1252 wrote to memory of 2768	1252	Explorer.EXE	32
PID 1252 wrote to memory of 2768	1252	Explorer.EXE	32
PID 1252 wrote to memory of 2768	1252	Explorer.EXE	32
PID 1252 wrote to memory of 2768	1252	Explorer.EXE	32
PID 2768 wrote to memory of 540	2768	cmmon32.exe	33
PID 2768 wrote to memory of 540	2768	cmmon32.exe	33
PID 2768 wrote to memory of 540	2768	cmmon32.exe	33
PID 2768 wrote to memory of 540	2768	cmmon32.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\97ea9eb9abdc300ce758c07ef0a31854be8342969bcacfc458e642540b63d63a.exe
  "C:\Users\Admin\AppData\Local\Temp\97ea9eb9abdc300ce758c07ef0a31854be8342969bcacfc458e642540b63d63a.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Users\Admin\AppData\Local\Temp\glmvoahjy.exe
    C:\Users\Admin\AppData\Local\Temp\glmvoahjy.exe C:\Users\Admin\AppData\Local\Temp\tqecasoyy
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Users\Admin\AppData\Local\Temp\glmvoahjy.exe
      C:\Users\Admin\AppData\Local\Temp\glmvoahjy.exe C:\Users\Admin\AppData\Local\Temp\tqecasoyy
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2852
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\glmvoahjy.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\muknjfeee8l

Filesize
214KB

MD5
aa43485753e947755b3c8c3dbb3361c2

SHA1
4736e91d2653674b3d7980aecdb5bfd229b539a4

SHA256
28637ca5c43bf76dc87730b0c3e4f28b185b20eb7f1dc8ab33c603f430d92cd6

SHA512
cc688835b4ca06135e6b78587acf94cf03d47498c93ded5c8e432d357c62334bf1fad995427bcf9f140664a9e4f5ad92a70a1754fad8ee087bf4aa010655f62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqecasoyy

Filesize
5KB

MD5
a1a8a509af6adc2e9268cc980b73d212

SHA1
345d370630623d58e5fe33b825e1c8bfce1f61c3

SHA256
7bb3c803d687bad9745ca83d390ae94aef0ae770f2965a97bf6963e579828959

SHA512
6c573f8ff9831ecbb81d4291b802e5e35500e844ec861f55b6e0f15d85b5865a173f2a8df11ba017c190eb24cb6a004d20ba2fa4c25ca2129f48997af6f5bbac

Download Submit
\Users\Admin\AppData\Local\Temp\glmvoahjy.exe

Filesize
4KB

MD5
dea5c229f2b9623e29d3236d26da3551

SHA1
782235d5f7991fef92f72ad3aa045fc1105708f3

SHA256
c8dce5a38599e3e4929af394c86710593dd84388e18ee9f512800685c909d2d8

SHA512
4a3aaa23d5ea3801ae64ae71d7e3824a8e3f817d61c617619c31a3842ec30668c1d0e1729fe519315285132664ced11a558a30e1e06e48c457840eb9a9573e94

Download Submit
memory/1252-20-0x0000000006BA0000-0x0000000006D17000-memory.dmp

Filesize
1.5MB

Download
memory/1252-19-0x0000000002F90000-0x0000000003090000-memory.dmp

Filesize
1024KB

Download
memory/1252-24-0x0000000006BA0000-0x0000000006D17000-memory.dmp

Filesize
1.5MB

Download
memory/2352-9-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2768-21-0x0000000000A30000-0x0000000000A3D000-memory.dmp

Filesize
52KB

Download
memory/2768-22-0x0000000000A30000-0x0000000000A3D000-memory.dmp

Filesize
52KB

Download
memory/2768-23-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2852-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-15-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download
memory/2852-18-0x0000000000180000-0x0000000000191000-memory.dmp

Filesize
68KB

Download
memory/2852-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing