xloader | 4e83c1441f252782103187e9bbbbfd734b5a84474b48164d02f1fdd7260ab45f

General

Target

0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe
Size

851KB
MD5

49bcec7debb3c44746deae7f46e81a53
SHA1

f9b97e9f1de7fb216236f11f376bb27d722290fd
SHA256

0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792
SHA512

307bff05d4b863e8f8d32730571cf8e6819f254665eb695b9f22aaba1d8656bad924299b981aae2899917a71f4792caf3759007cd2bad566fcf1da54558a1d28
SSDEEP

12288:jMpPHPrZ0O0eUsj93S/aOZM0SoUzHRsegL8Y1PsJ7H0MI0AvCtYJ9jRz1JEJOiM9:wPrpiyOZM0YHfqk7HnI0AvCtYn1/

Score

10^/10

xloader qize discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

qize

Decoy

mamyscare.com

fasttogrowbusiness.com

smtrbrnd.com

nifties.ink

armorbit.net

self-mastery.academy

race-event.info

tomreagan.com

buybitcoin20.com

legittradersfx.com

masonpaintingandcontracting.com

puregarment.com

m33933.com

360metaverse.biz

altsiona.com

egdevils.online

waygao.com

ikmbc-b01.com

share138.com

1sa.online

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2728-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2576 set thread context of 2728	2576	0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe	31

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2576	0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe
2576	0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe
2576	0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe
2576	0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe
2576	0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe
2576	0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe
2728	0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 2728	2576	0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe	31
PID 2576 wrote to memory of 2728	2576	0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe	31
PID 2576 wrote to memory of 2728	2576	0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe	31
PID 2576 wrote to memory of 2728	2576	0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe	31
PID 2576 wrote to memory of 2728	2576	0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe	31
PID 2576 wrote to memory of 2728	2576	0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe	31
PID 2576 wrote to memory of 2728	2576	0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe	31

C:\Users\Admin\AppData\Local\Temp\0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe
"C:\Users\Admin\AppData\Local\Temp\0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Local\Temp\0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe
  "C:\Users\Admin\AppData\Local\Temp\0aaa73b1b2b951f7a10dc7a4c8e77b2f659ca543f6b650894f92976342bad792.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2576-6-0x0000000004200000-0x0000000004230000-memory.dmp

Filesize
192KB

Download
memory/2576-0-0x00000000742BE000-0x00000000742BF000-memory.dmp

Filesize
4KB

Download
memory/2576-2-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/2576-3-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2576-4-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2576-5-0x0000000005520000-0x00000000055D0000-memory.dmp

Filesize
704KB

Download
memory/2576-1-0x0000000000220000-0x00000000002FA000-memory.dmp

Filesize
872KB

Download
memory/2576-13-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2728-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2728-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2728-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2728-14-0x0000000000940000-0x0000000000C43000-memory.dmp

Filesize
3.0MB

Download
memory/2728-15-0x0000000000940000-0x0000000000C43000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing