xloader | 075d3b5ed653c153e9fffcfcfa330cf99aae102c8f032a7a8ff730060e6e5224

General

Target

d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe
Size

332KB
MD5

9572e695a50ea24517e2414010e10b46
SHA1

ae079d5e44e8b797dd8c29a9f9fd13d9466bc97a
SHA256

d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f
SHA512

ed98a7c1dcbc2fdc8ec0baf5b79586340b4e6552ab2026ddfa0efff3c526862baf81b873a6cf14e054219f629bf7609a42d88845949bfb54e49bd399543a57f8
SSDEEP

6144:TxD7+ihfubpqe6ZFBwZlt26euWhXlUCU0Ch5dlGBkV8Vd1vBIZLlGs7:4guA1ZFBilIpuKChNV8Vd1MLo+

Score

10^/10

xloader yrcy discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

yrcy

Decoy

ordermws-brands.com

jkbswj.com

dairatwsl.com

lewismiddleton.com

hevenorfeed.com

kovogueshop.com

cyberitconsultingz.com

besrbee.com

workerscompfl1.com

wayfinderacu.com

smplkindness.com

servicesitcy.com

babyvv.com

fly-crypto.com

chahuima.com

trist-n.tech

minjia56.com

oded.top

mes-dents-blanches.com

nethunsleather.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2388-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2388-15-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1988-22-0x00000000000C0000-0x00000000000E9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

pid	Process
1556	znompeu.exe
2388	znompeu.exe

Loads dropped DLL 2 IoCs

pid	Process
1324	d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe
1556	znompeu.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1556 set thread context of 2388	1556	znompeu.exe	31
PID 2388 set thread context of 1188	2388	znompeu.exe	21
PID 1988 set thread context of 1188	1988	svchost.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	znompeu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2388	znompeu.exe
2388	znompeu.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2388	znompeu.exe
2388	znompeu.exe
2388	znompeu.exe
1988	svchost.exe
1988	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	znompeu.exe
Token: SeDebugPrivilege	1988	svchost.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1556	1324	d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe	30
PID 1324 wrote to memory of 1556	1324	d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe	30
PID 1324 wrote to memory of 1556	1324	d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe	30
PID 1324 wrote to memory of 1556	1324	d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe	30
PID 1556 wrote to memory of 2388	1556	znompeu.exe	31
PID 1556 wrote to memory of 2388	1556	znompeu.exe	31
PID 1556 wrote to memory of 2388	1556	znompeu.exe	31
PID 1556 wrote to memory of 2388	1556	znompeu.exe	31
PID 1556 wrote to memory of 2388	1556	znompeu.exe	31
PID 1556 wrote to memory of 2388	1556	znompeu.exe	31
PID 1556 wrote to memory of 2388	1556	znompeu.exe	31
PID 1188 wrote to memory of 1988	1188	Explorer.EXE	32
PID 1188 wrote to memory of 1988	1188	Explorer.EXE	32
PID 1188 wrote to memory of 1988	1188	Explorer.EXE	32
PID 1188 wrote to memory of 1988	1188	Explorer.EXE	32
PID 1988 wrote to memory of 1964	1988	svchost.exe	33
PID 1988 wrote to memory of 1964	1988	svchost.exe	33
PID 1988 wrote to memory of 1964	1988	svchost.exe	33
PID 1988 wrote to memory of 1964	1988	svchost.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe
  "C:\Users\Admin\AppData\Local\Temp\d8f888158556fe3971ae3904db9268b95c1d7f3ee1991dbd04002e018b65750f.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\znompeu.exe
    C:\Users\Admin\AppData\Local\Temp\znompeu.exe C:\Users\Admin\AppData\Local\Temp\rgavkpxs
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\znompeu.exe
      C:\Users\Admin\AppData\Local\Temp\znompeu.exe C:\Users\Admin\AppData\Local\Temp\rgavkpxs
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2388
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\znompeu.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3695bcfdr9eu0

Filesize
210KB

MD5
21283579ae331b1495ad866408aab9b0

SHA1
b2a9cb3e3b30d17c849713e7193404dc9863959d

SHA256
f3fa6eb6757fca96cdae8958f8446c9e49527e593031bb32dfccc3ff976fa432

SHA512
f8518631b04d00b2c00b45912df2ab8ed44cc31ea2b6afdf075ee1e1b2ff3ef74ec35275a495321dd6746814726b9045e30e8735240d6b9667f7695aff1e73e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgavkpxs

Filesize
5KB

MD5
2af81e6c3061790ce149ffc656096753

SHA1
504ca42eb12a22cf770f9fba3a305ca5cbdd2ab2

SHA256
584c53db963412e640e1320a4d48fe1904afcc2c735d6ab8e4eb64c74eb0360c

SHA512
f7853f4f09e08426953131cd743b154091d413c45c8c09a1c247f9469937963c54f326bb12141decee14a7b05fc70e835733a339dd908549312cce7c1dd7a46f

Download Submit
\Users\Admin\AppData\Local\Temp\znompeu.exe

Filesize
222KB

MD5
09bbca18da135482d44b23c70f9d8568

SHA1
9edfd59b24069657a2cf6eb35cfe5bed6e3d1fe7

SHA256
0013c266aef2611a034268e74cf293cf443b9246ef569c9acf6fadab59a45341

SHA512
a743f45e84515ed0965ae25ad1f0ac4a8821899e9292c1b0e6cdea93cb2b7f488a38c2ad8eff668c4170495516145476a232518a4f54ebc1aba557c04b43bf15

Download Submit
memory/1188-17-0x00000000078D0000-0x0000000007A0C000-memory.dmp

Filesize
1.2MB

Download
memory/1188-23-0x00000000078D0000-0x0000000007A0C000-memory.dmp

Filesize
1.2MB

Download
memory/1556-9-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/1988-21-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/1988-20-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/1988-22-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/2388-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2388-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing