xloader | 7ca0acdc3e8b24c2034b2205dbfdf744c903cae7c88b1d09b529991168c05dca

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Advice for Outstanding Invoices (2).exe
Size

621KB
MD5

2a2d3e7c62d3b3a9e9ef3565f04a2dc5
SHA1

e4829cc9645d8c2a26929d2f132cf6d0f358a988
SHA256

c435fcfb3786d573ede77e30ded01503640a4de64523df7e9078cfc572381ced
SHA512

0226f28426976c5bd064caabea3645062a99e1b1e99e79e4d518c783e208b299534ea9a4d1180bc43651fb1b65f72440382910b7ddf30e57ee4b8c9c9a732871
SSDEEP

12288:7Zbr8K777777777777TkNdgOG0IzkXh7aolFyiSu61xdEJXouOo0XSLEdigeAaui:7F8K777777777777TiP8EFhmoMst

Score

10^/10

xloader nqni discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nqni

Decoy

lekitaly.com

heroteas.com

funtique.art

cedarmoonshop.com

greenozon.com

jonescompanysolutions.com

pdxls.com

icreateandcut.com

healthylifeagainnow.com

zhongxinzxpz.top

hotelsaskatchewan.info

louisebeckinsale.net

hivizpeople.com

sanjoseejidillo.com

turnspout.net

suddennnnnnnnnnnn02.xyz

annianzu.icu

webdesigncharlestonsc.com

headrank.agency

bradyiconmusiccenter.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral28/memory/3008-18-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral28/memory/3008-22-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral28/memory/3008-26-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral28/memory/2656-32-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1292 set thread context of 3008	1292	Payment Advice for Outstanding Invoices (2).exe	33
PID 3008 set thread context of 1200	3008	Payment Advice for Outstanding Invoices (2).exe	21
PID 3008 set thread context of 1200	3008	Payment Advice for Outstanding Invoices (2).exe	21
PID 2656 set thread context of 1200	2656	NAPSTAT.EXE	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment Advice for Outstanding Invoices (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NAPSTAT.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1292	Payment Advice for Outstanding Invoices (2).exe
3008	Payment Advice for Outstanding Invoices (2).exe
3008	Payment Advice for Outstanding Invoices (2).exe
3008	Payment Advice for Outstanding Invoices (2).exe
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
3008	Payment Advice for Outstanding Invoices (2).exe
3008	Payment Advice for Outstanding Invoices (2).exe
3008	Payment Advice for Outstanding Invoices (2).exe
3008	Payment Advice for Outstanding Invoices (2).exe
2656	NAPSTAT.EXE
2656	NAPSTAT.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	Payment Advice for Outstanding Invoices (2).exe
Token: SeDebugPrivilege	3008	Payment Advice for Outstanding Invoices (2).exe
Token: SeDebugPrivilege	2656	NAPSTAT.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2736	1292	Payment Advice for Outstanding Invoices (2).exe	31
PID 1292 wrote to memory of 2736	1292	Payment Advice for Outstanding Invoices (2).exe	31
PID 1292 wrote to memory of 2736	1292	Payment Advice for Outstanding Invoices (2).exe	31
PID 1292 wrote to memory of 2736	1292	Payment Advice for Outstanding Invoices (2).exe	31
PID 1292 wrote to memory of 3008	1292	Payment Advice for Outstanding Invoices (2).exe	33
PID 1292 wrote to memory of 3008	1292	Payment Advice for Outstanding Invoices (2).exe	33
PID 1292 wrote to memory of 3008	1292	Payment Advice for Outstanding Invoices (2).exe	33
PID 1292 wrote to memory of 3008	1292	Payment Advice for Outstanding Invoices (2).exe	33
PID 1292 wrote to memory of 3008	1292	Payment Advice for Outstanding Invoices (2).exe	33
PID 1292 wrote to memory of 3008	1292	Payment Advice for Outstanding Invoices (2).exe	33
PID 1292 wrote to memory of 3008	1292	Payment Advice for Outstanding Invoices (2).exe	33
PID 1200 wrote to memory of 2656	1200	Explorer.EXE	34
PID 1200 wrote to memory of 2656	1200	Explorer.EXE	34
PID 1200 wrote to memory of 2656	1200	Explorer.EXE	34
PID 1200 wrote to memory of 2656	1200	Explorer.EXE	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
  "C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IlSblFRyVadI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFD33.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2736
- - C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- C:\Windows\SysWOW64\NAPSTAT.EXE
  "C:\Windows\SysWOW64\NAPSTAT.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFD33.tmp

Filesize
1KB

MD5
235df9cb13f0e61134099fa3131b4200

SHA1
03a5ee592b869bfebd8c9c586c0510d53e6b96a3

SHA256
279cb4ce033c1a0d71e0bae2156173a2d648c6c278f5b47bc64e332a702efa6a

SHA512
36b67e96bbab613f98f27d105607a58e82ea4048d536e8238b3119c3ae200ffaede642ac865918ef30027af51b86c037e57e3f3b3ee9be574993f72f577e1aaf

Download Submit
memory/1200-28-0x0000000006760000-0x000000000688C000-memory.dmp

Filesize
1.2MB

Download
memory/1200-29-0x0000000006680000-0x0000000006752000-memory.dmp

Filesize
840KB

Download
memory/1200-33-0x0000000006760000-0x000000000688C000-memory.dmp

Filesize
1.2MB

Download
memory/1200-24-0x0000000006680000-0x0000000006752000-memory.dmp

Filesize
840KB

Download
memory/1292-4-0x0000000074C4E000-0x0000000074C4F000-memory.dmp

Filesize
4KB

Download
memory/1292-6-0x00000000055E0000-0x0000000005664000-memory.dmp

Filesize
528KB

Download
memory/1292-7-0x0000000004160000-0x0000000004190000-memory.dmp

Filesize
192KB

Download
memory/1292-5-0x0000000074C40000-0x000000007532E000-memory.dmp

Filesize
6.9MB

Download
memory/1292-0-0x0000000074C4E000-0x0000000074C4F000-memory.dmp

Filesize
4KB

Download
memory/1292-3-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/1292-19-0x0000000074C40000-0x000000007532E000-memory.dmp

Filesize
6.9MB

Download
memory/1292-1-0x0000000000160000-0x0000000000202000-memory.dmp

Filesize
648KB

Download
memory/1292-2-0x0000000074C40000-0x000000007532E000-memory.dmp

Filesize
6.9MB

Download
memory/2656-32-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2656-30-0x0000000000DB0000-0x0000000000DF6000-memory.dmp

Filesize
280KB

Download
memory/2656-31-0x0000000000DB0000-0x0000000000DF6000-memory.dmp

Filesize
280KB

Download
memory/3008-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3008-27-0x0000000000B30000-0x0000000000B41000-memory.dmp

Filesize
68KB

Download
memory/3008-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3008-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3008-23-0x0000000000650000-0x0000000000661000-memory.dmp

Filesize
68KB

Download
memory/3008-20-0x0000000000800000-0x0000000000B03000-memory.dmp

Filesize
3.0MB

Download
memory/3008-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3008-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3008-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download