xloader | d9fe9d908100ab182772f847c7b857f793d38ef5d1e715b9013f8b31414eceba

General

Target

Spare part list.exe
Size

426KB
MD5

cac35edc87d1cdaf5ecdd34900045ccb
SHA1

1323d657bd67d03faefd521b785e0c04b48bee16
SHA256

efc607830d8ab120ce4a9fb8062b9986980430b0cc82115d9cb8aa6f4dac29ad
SHA512

8b7db67d5738da10209e59ae50ce79f39d69ad3438c4dc35110534f073a011048e2e3c21e531e1691041680bd3809297b648075950c1c6348e26dc52e85a6f8f
SSDEEP

6144:YNeZCHXOWlDX1LvW0PJ1qNmN/Nio+BmTku6tMJNiZt7MZ2kY0a0wi++sAWv/kfmE:YN/XO8M0Xq0N/8XBpMniZxi2kY0yFwvN

Score

10^/10

xloader s9nb discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

s9nb

Decoy

shaktiactive.com

kootenaycountryinn.com

lombokrinjaniproperti.com

mindbodyweightlossmethod.com

memoryrevisited.com

irina-o.online

vampirillos.com

tacoprime.com

htyrdetry5t6uyiuhy.com

azarianann.xyz

areshaawraqenab.com

hollandpokerzone.com

oaktreemarketers.com

fuckedminds.com

cosmicarcana.com

ec3.digital

gothamstoneworks.com

sacvowednexus.com

transoreia.com

sgbicyclemall.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral5/memory/2308-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral5/memory/2308-17-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral5/memory/2520-23-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

pid	Process
2324	rkkzui.exe
2308	rkkzui.exe

Loads dropped DLL 2 IoCs

pid	Process
1628	Spare part list.exe
2324	rkkzui.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 2308	2324	rkkzui.exe	31
PID 2308 set thread context of 1140	2308	rkkzui.exe	20
PID 2520 set thread context of 1140	2520	msdt.exe	20

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Spare part list.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rkkzui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2308	rkkzui.exe
2308	rkkzui.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe
2520	msdt.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2308	rkkzui.exe
2308	rkkzui.exe
2308	rkkzui.exe
2520	msdt.exe
2520	msdt.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	rkkzui.exe
Token: SeDebugPrivilege	2520	msdt.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2324	1628	Spare part list.exe	30
PID 1628 wrote to memory of 2324	1628	Spare part list.exe	30
PID 1628 wrote to memory of 2324	1628	Spare part list.exe	30
PID 1628 wrote to memory of 2324	1628	Spare part list.exe	30
PID 2324 wrote to memory of 2308	2324	rkkzui.exe	31
PID 2324 wrote to memory of 2308	2324	rkkzui.exe	31
PID 2324 wrote to memory of 2308	2324	rkkzui.exe	31
PID 2324 wrote to memory of 2308	2324	rkkzui.exe	31
PID 2324 wrote to memory of 2308	2324	rkkzui.exe	31
PID 2324 wrote to memory of 2308	2324	rkkzui.exe	31
PID 2324 wrote to memory of 2308	2324	rkkzui.exe	31
PID 1140 wrote to memory of 2520	1140	Explorer.EXE	32
PID 1140 wrote to memory of 2520	1140	Explorer.EXE	32
PID 1140 wrote to memory of 2520	1140	Explorer.EXE	32
PID 1140 wrote to memory of 2520	1140	Explorer.EXE	32
PID 2520 wrote to memory of 2752	2520	msdt.exe	34
PID 2520 wrote to memory of 2752	2520	msdt.exe	34
PID 2520 wrote to memory of 2752	2520	msdt.exe	34
PID 2520 wrote to memory of 2752	2520	msdt.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Temp\Spare part list.exe
  "C:\Users\Admin\AppData\Local\Temp\Spare part list.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\rkkzui.exe
    C:\Users\Admin\AppData\Local\Temp\rkkzui.exe C:\Users\Admin\AppData\Local\Temp\lhmmcyvatq
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\rkkzui.exe
      C:\Users\Admin\AppData\Local\Temp\rkkzui.exe C:\Users\Admin\AppData\Local\Temp\lhmmcyvatq
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2308
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\rkkzui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0gy5z1a3hsrcrvua7f32

Filesize
210KB

MD5
c513bebbe6941d47f6df04fbf35286d7

SHA1
e36c8a60ce8c284ec91c8bb99c3aa588f5e496ec

SHA256
ecce894765837d8c0cfa132f7107e36a0163a94a6b7de91ed7b9068d49c0c7bb

SHA512
e682796dd580b13d04c6c16aa8f7a32fd5d807d7eabe2a113ada03073eaedc10319b9d5a45be48720bd1bea9f20f0d96f56eb2458b0bfb5ca6f104009e6ed993

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhmmcyvatq

Filesize
4KB

MD5
044ab2eec1a75bd7f82dc641a5d3af23

SHA1
1b05898043d0342536e115e93483b232ff0b0d60

SHA256
88e2f31f156897b8bd79e9f13294f355e0bb9a8f431f5da43f1f73e5644c9ee0

SHA512
e6b93c2037785a768e5998f9927829f2a2b40690fd561d1a50169aac29107d9247b5f93b6d91507b3235e2758545a47a1408e6abf170fe02d7d4c90024db9f17

Download Submit
\Users\Admin\AppData\Local\Temp\rkkzui.exe

Filesize
4KB

MD5
5504a85ec9912968d5730c57ee61c10b

SHA1
93a21109de21536b28dc51183c26c65d174fbb4a

SHA256
9ac40b495a05fd8d5b2f4dd668d8e0aa5932dd7171aa070e1ad6cb0a96cd6ee4

SHA512
e9dffb4a48237d4621f8d379f491dbee1879d4f6bd834d892d4cc22f30a92b2103e5bb231b0293f8b5f8848f2a050a2f295cfc8ad5c9392418519a00a1576e14

Download Submit
memory/1140-19-0x00000000050E0000-0x00000000051EB000-memory.dmp

Filesize
1.0MB

Download
memory/1140-16-0x0000000003160000-0x0000000003260000-memory.dmp

Filesize
1024KB

Download
memory/1140-22-0x00000000050E0000-0x00000000051EB000-memory.dmp

Filesize
1.0MB

Download
memory/2308-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2308-14-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Filesize
3.0MB

Download
memory/2308-18-0x00000000001D0000-0x00000000001E1000-memory.dmp

Filesize
68KB

Download
memory/2308-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2324-11-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2520-20-0x0000000000310000-0x0000000000404000-memory.dmp

Filesize
976KB

Download
memory/2520-21-0x0000000000310000-0x0000000000404000-memory.dmp

Filesize
976KB

Download
memory/2520-23-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing