xloader | 7ca0acdc3e8b24c2034b2205dbfdf744c903cae7c88b1d09b529991168c05dca

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Advice for Outstanding Invoices (2).exe
Size

621KB
MD5

2a2d3e7c62d3b3a9e9ef3565f04a2dc5
SHA1

e4829cc9645d8c2a26929d2f132cf6d0f358a988
SHA256

c435fcfb3786d573ede77e30ded01503640a4de64523df7e9078cfc572381ced
SHA512

0226f28426976c5bd064caabea3645062a99e1b1e99e79e4d518c783e208b299534ea9a4d1180bc43651fb1b65f72440382910b7ddf30e57ee4b8c9c9a732871
SSDEEP

12288:7Zbr8K777777777777TkNdgOG0IzkXh7aolFyiSu61xdEJXouOo0XSLEdigeAaui:7F8K777777777777TiP8EFhmoMst

Score

10^/10

xloader nqni discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nqni

Decoy

lekitaly.com

heroteas.com

funtique.art

cedarmoonshop.com

greenozon.com

jonescompanysolutions.com

pdxls.com

icreateandcut.com

healthylifeagainnow.com

zhongxinzxpz.top

hotelsaskatchewan.info

louisebeckinsale.net

hivizpeople.com

sanjoseejidillo.com

turnspout.net

suddennnnnnnnnnnn02.xyz

annianzu.icu

webdesigncharlestonsc.com

headrank.agency

bradyiconmusiccenter.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral29/memory/4072-15-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral29/memory/4072-20-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral29/memory/4072-24-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral29/memory/756-31-0x0000000001250000-0x0000000001279000-memory.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Payment Advice for Outstanding Invoices (2).exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Payment Advice for Outstanding Invoices (2).exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Payment Advice for Outstanding Invoices (2).exePayment Advice for Outstanding Invoices (2).exeexplorer.exe

description	pid	process	target process
PID 4988 set thread context of 4072	4988	Payment Advice for Outstanding Invoices (2).exe	Payment Advice for Outstanding Invoices (2).exe
PID 4072 set thread context of 3508	4072	Payment Advice for Outstanding Invoices (2).exe	Explorer.EXE
PID 4072 set thread context of 3508	4072	Payment Advice for Outstanding Invoices (2).exe	Explorer.EXE
PID 756 set thread context of 3508	756	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Payment Advice for Outstanding Invoices (2).exeschtasks.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment Advice for Outstanding Invoices (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2840 schtasks.exe

pid	process
2840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

Payment Advice for Outstanding Invoices (2).exePayment Advice for Outstanding Invoices (2).exeexplorer.exe

pid	process
4988	Payment Advice for Outstanding Invoices (2).exe
4072	Payment Advice for Outstanding Invoices (2).exe
4072	Payment Advice for Outstanding Invoices (2).exe
4072	Payment Advice for Outstanding Invoices (2).exe
4072	Payment Advice for Outstanding Invoices (2).exe
4072	Payment Advice for Outstanding Invoices (2).exe
4072	Payment Advice for Outstanding Invoices (2).exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Payment Advice for Outstanding Invoices (2).exeexplorer.exe

pid	process
4072	Payment Advice for Outstanding Invoices (2).exe
4072	Payment Advice for Outstanding Invoices (2).exe
4072	Payment Advice for Outstanding Invoices (2).exe
4072	Payment Advice for Outstanding Invoices (2).exe
756	explorer.exe
756	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Payment Advice for Outstanding Invoices (2).exePayment Advice for Outstanding Invoices (2).exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	4988	Payment Advice for Outstanding Invoices (2).exe
Token: SeDebugPrivilege	4072	Payment Advice for Outstanding Invoices (2).exe
Token: SeDebugPrivilege	756	explorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Payment Advice for Outstanding Invoices (2).exeExplorer.EXE

description	pid	process	target process
PID 4988 wrote to memory of 2840	4988	Payment Advice for Outstanding Invoices (2).exe	schtasks.exe
PID 4988 wrote to memory of 2840	4988	Payment Advice for Outstanding Invoices (2).exe	schtasks.exe
PID 4988 wrote to memory of 2840	4988	Payment Advice for Outstanding Invoices (2).exe	schtasks.exe
PID 4988 wrote to memory of 4072	4988	Payment Advice for Outstanding Invoices (2).exe	Payment Advice for Outstanding Invoices (2).exe
PID 4988 wrote to memory of 4072	4988	Payment Advice for Outstanding Invoices (2).exe	Payment Advice for Outstanding Invoices (2).exe
PID 4988 wrote to memory of 4072	4988	Payment Advice for Outstanding Invoices (2).exe	Payment Advice for Outstanding Invoices (2).exe
PID 4988 wrote to memory of 4072	4988	Payment Advice for Outstanding Invoices (2).exe	Payment Advice for Outstanding Invoices (2).exe
PID 4988 wrote to memory of 4072	4988	Payment Advice for Outstanding Invoices (2).exe	Payment Advice for Outstanding Invoices (2).exe
PID 4988 wrote to memory of 4072	4988	Payment Advice for Outstanding Invoices (2).exe	Payment Advice for Outstanding Invoices (2).exe
PID 3508 wrote to memory of 756	3508	Explorer.EXE	explorer.exe
PID 3508 wrote to memory of 756	3508	Explorer.EXE	explorer.exe
PID 3508 wrote to memory of 756	3508	Explorer.EXE	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
  "C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IlSblFRyVadI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1FB8.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2840
- - C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4072
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1FB8.tmp

Filesize
1KB

MD5
9c5f354653322ec06ab4ebb449e2437b

SHA1
375d5329debbebcf8688639c7ef7981aa77f5534

SHA256
8c6ac426262941b59edd01a7e5999cc822f25e8ef4cd9bf5d40e63f00d32faf2

SHA512
a97317b55c144fdc08a91c69fef2d40098991ab13a45ceecbd75eabba357ec9f41612b5b1bcc7b4c8e27875b74a6e0ca7019ca8a610eaae2e9de7eb5223f6175

Download Submit
memory/756-30-0x0000000000B10000-0x0000000000F43000-memory.dmp

Filesize
4.2MB

Download
memory/756-28-0x0000000000B10000-0x0000000000F43000-memory.dmp

Filesize
4.2MB

Download
memory/756-31-0x0000000001250000-0x0000000001279000-memory.dmp

Filesize
164KB

Download
memory/3508-27-0x0000000003D40000-0x0000000003DEF000-memory.dmp

Filesize
700KB

Download
memory/3508-32-0x0000000007A00000-0x0000000007B10000-memory.dmp

Filesize
1.1MB

Download
memory/3508-26-0x0000000007A00000-0x0000000007B10000-memory.dmp

Filesize
1.1MB

Download
memory/3508-22-0x0000000003D40000-0x0000000003DEF000-memory.dmp

Filesize
700KB

Download
memory/3508-36-0x0000000007ED0000-0x0000000008042000-memory.dmp

Filesize
1.4MB

Download
memory/4072-18-0x0000000001710000-0x0000000001A5A000-memory.dmp

Filesize
3.3MB

Download
memory/4072-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4072-25-0x0000000003410000-0x0000000003421000-memory.dmp

Filesize
68KB

Download
memory/4072-21-0x0000000001690000-0x00000000016A1000-memory.dmp

Filesize
68KB

Download
memory/4072-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4072-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4988-7-0x00000000055B0000-0x00000000055BA000-memory.dmp

Filesize
40KB

Download
memory/4988-17-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/4988-11-0x0000000006F10000-0x0000000006F40000-memory.dmp

Filesize
192KB

Download
memory/4988-10-0x00000000081B0000-0x0000000008234000-memory.dmp

Filesize
528KB

Download
memory/4988-9-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/4988-8-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

Filesize
4KB

Download
memory/4988-0-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

Filesize
4KB

Download
memory/4988-6-0x0000000005190000-0x000000000519A000-memory.dmp

Filesize
40KB

Download
memory/4988-5-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/4988-4-0x0000000005260000-0x00000000052FC000-memory.dmp

Filesize
624KB

Download
memory/4988-3-0x00000000051C0000-0x0000000005252000-memory.dmp

Filesize
584KB

Download
memory/4988-2-0x00000000056D0000-0x0000000005C74000-memory.dmp

Filesize
5.6MB

Download
memory/4988-1-0x0000000000740000-0x00000000007E2000-memory.dmp

Filesize
648KB

Download