xloader | 792eb6ce7d9e518bd04454435f7dda042fcaaf787db11abf732e7c16517bbee6

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
Size

872KB
MD5

fd724406b255a493f330ee2770c4ac9a
SHA1

860e185a6d5c43181e57d09696d317c511caf3a5
SHA256

48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd
SHA512

6e23dbdbc2f22d77ed811e67a9008eff395fd23d198a585e71dd193cff7cfefd0ad7edfa11de0b5781d0b6cb6dcbacac47ef39547f949dc882d16f81770d1cb3
SSDEEP

12288:dDFEOEhGkEHIxZEfzfYNM9a462lRbSRiLIsBOgkrBZGR/Qp/vSBR7sXTQiuD/6he:egVOEjqCkov8sBOBlgQRkd4wJ

Score

10^/10

xloader ahge discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahge

Decoy

zlh.biz

suddennnnnnnnnnnn11.xyz

okanliving.com

shopeuphoricapparel.com

hcifo.com

haciendalosangeleslaguna.com

shineshaft.online

monclerjacketsusa.biz

uwuplay.com

psychicdeb.com

adonlet.com

theprogressivehomesteaders.com

ammaninstitute.com

sqpod.com

tropicbaywatergardens.net

yna901.net

3christinez.online

tastemon.com

karansabberwal.com

delegif.xyz

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/3720-8-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral2/memory/396-13-0x0000000000400000-0x000000000042A000-memory.dmp	xloader
behavioral2/memory/4828-22-0x0000000000E40000-0x0000000000E69000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2064 set thread context of 3720	2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe	84
PID 2064 set thread context of 396	2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe	86
PID 396 set thread context of 3488	396	wscadminui.exe	56
PID 4828 set thread context of 3488	4828	cmmon32.exe	56

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscadminui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmmon32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
3720	SystemPropertiesDataExecutionPrevention.exe
3720	SystemPropertiesDataExecutionPrevention.exe
2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
396	wscadminui.exe
396	wscadminui.exe
396	wscadminui.exe
396	wscadminui.exe
2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe
4828	cmmon32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
396	wscadminui.exe
396	wscadminui.exe
396	wscadminui.exe
4828	cmmon32.exe
4828	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
Token: SeDebugPrivilege	396	wscadminui.exe
Token: SeDebugPrivilege	4828	cmmon32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2992	2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe	83
PID 2064 wrote to memory of 2992	2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe	83
PID 2064 wrote to memory of 2992	2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe	83
PID 2064 wrote to memory of 3720	2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe	84
PID 2064 wrote to memory of 3720	2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe	84
PID 2064 wrote to memory of 3720	2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe	84
PID 2064 wrote to memory of 3720	2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe	84
PID 2064 wrote to memory of 3720	2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe	84
PID 2064 wrote to memory of 3720	2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe	84
PID 2064 wrote to memory of 3720	2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe	84
PID 2064 wrote to memory of 396	2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe	86
PID 2064 wrote to memory of 396	2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe	86
PID 2064 wrote to memory of 396	2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe	86
PID 2064 wrote to memory of 396	2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe	86
PID 2064 wrote to memory of 396	2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe	86
PID 2064 wrote to memory of 396	2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe	86
PID 2064 wrote to memory of 396	2064	48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe	86
PID 3488 wrote to memory of 4828	3488	Explorer.EXE	87
PID 3488 wrote to memory of 4828	3488	Explorer.EXE	87
PID 3488 wrote to memory of 4828	3488	Explorer.EXE	87
PID 4828 wrote to memory of 2728	4828	cmmon32.exe	94
PID 4828 wrote to memory of 2728	4828	cmmon32.exe	94
PID 4828 wrote to memory of 2728	4828	cmmon32.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Users\Admin\AppData\Local\Temp\48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe
  "C:\Users\Admin\AppData\Local\Temp\48ebad81d92ce98fba777a39a5a78ea05ba60b3d58bd36eac52bd95af71143dd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\msfeedssync.exe
    "C:\Windows\SysWOW64\msfeedssync.exe"
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe
    "C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3720
- - C:\Windows\SysWOW64\wscadminui.exe
    "C:\Windows\SysWOW64\wscadminui.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:396
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\wscadminui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/396-14-0x0000000000B20000-0x0000000000B31000-memory.dmp

Filesize
68KB

Download
memory/396-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/396-11-0x0000000000D80000-0x00000000010CA000-memory.dmp

Filesize
3.3MB

Download
memory/2064-6-0x0000000005290000-0x00000000052A6000-memory.dmp

Filesize
88KB

Download
memory/2064-4-0x00000000053B0000-0x000000000544C000-memory.dmp

Filesize
624KB

Download
memory/2064-5-0x0000000005460000-0x000000000551A000-memory.dmp

Filesize
744KB

Download
memory/2064-3-0x0000000005310000-0x00000000053A2000-memory.dmp

Filesize
584KB

Download
memory/2064-7-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/2064-19-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/2064-17-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/2064-2-0x00000000058C0000-0x0000000005E64000-memory.dmp

Filesize
5.6MB

Download
memory/2064-1-0x0000000000970000-0x0000000000A50000-memory.dmp

Filesize
896KB

Download
memory/2064-0-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/2064-15-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/3488-16-0x0000000003130000-0x0000000003243000-memory.dmp

Filesize
1.1MB

Download
memory/3488-23-0x0000000003130000-0x0000000003243000-memory.dmp

Filesize
1.1MB

Download
memory/3488-26-0x0000000008610000-0x0000000008747000-memory.dmp

Filesize
1.2MB

Download
memory/3488-28-0x0000000008610000-0x0000000008747000-memory.dmp

Filesize
1.2MB

Download
memory/3488-29-0x0000000008610000-0x0000000008747000-memory.dmp

Filesize
1.2MB

Download
memory/3720-9-0x0000000000FC0000-0x000000000130A000-memory.dmp

Filesize
3.3MB

Download
memory/3720-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4828-21-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/4828-20-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/4828-22-0x0000000000E40000-0x0000000000E69000-memory.dmp

Filesize
164KB

Download