xloader | 1a25b69e0db3accb52754eecaa22bf90f651e5c36713da103527b6acf579d99e

General

Target

Purchase Order# 210145.exe
Size

1.2MB
MD5

943c2878d92004d2705f0d568838620b
SHA1

c134f3cd18715f1451f48bb10747779609284362
SHA256

30b8f5e97d96ca11c0358b295e60a3dfba91f6eeaa616fd6f1f616326cac8d63
SHA512

cebf61b3e58038e90d4f1846d46ab069b9da8ca2715eebf0b5ce8330924bf9f905013c7d5cf34f5790efe4ef726a56c56bae33c032204f56aadf6eaee5370e6a
SSDEEP

24576:jyvWI9raNq5Kpi+0IMTJVd+7J2Y9J2WV/Nm/y12Nhml:jXIFaNI+0zTJr+vcyYA

Score

10^/10

xloader imm8 discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

imm8

Decoy

insteuctire.com

zomkeroad.icu

setiptv.pro

hk2good.com

writerby.com

giftebuy.com

siterising.com

learnsmartly.net

paanopinoy.com

jerikocreativehub.com

whitenoisestore.com

itownfwl.com

kumamotors.com

luxqueen.club

psychiaterinschweiz.net

sanchez-gomez.info

seriesplum.com

eagleweldingmn.com

6917199.com

kundantanti.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2192-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2192-16-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/3020-21-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

pid	Process
2896	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2272 set thread context of 2192	2272	Purchase Order# 210145.exe	31
PID 2192 set thread context of 1388	2192	Purchase Order# 210145.exe	21
PID 3020 set thread context of 1388	3020	svchost.exe	21

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Purchase Order# 210145.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2192	Purchase Order# 210145.exe
2192	Purchase Order# 210145.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2192	Purchase Order# 210145.exe
2192	Purchase Order# 210145.exe
2192	Purchase Order# 210145.exe
3020	svchost.exe
3020	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	Purchase Order# 210145.exe
Token: SeDebugPrivilege	3020	svchost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2192	2272	Purchase Order# 210145.exe	31
PID 2272 wrote to memory of 2192	2272	Purchase Order# 210145.exe	31
PID 2272 wrote to memory of 2192	2272	Purchase Order# 210145.exe	31
PID 2272 wrote to memory of 2192	2272	Purchase Order# 210145.exe	31
PID 2272 wrote to memory of 2192	2272	Purchase Order# 210145.exe	31
PID 2272 wrote to memory of 2192	2272	Purchase Order# 210145.exe	31
PID 2272 wrote to memory of 2192	2272	Purchase Order# 210145.exe	31
PID 1388 wrote to memory of 3020	1388	Explorer.EXE	32
PID 1388 wrote to memory of 3020	1388	Explorer.EXE	32
PID 1388 wrote to memory of 3020	1388	Explorer.EXE	32
PID 1388 wrote to memory of 3020	1388	Explorer.EXE	32
PID 3020 wrote to memory of 2896	3020	svchost.exe	33
PID 3020 wrote to memory of 2896	3020	svchost.exe	33
PID 3020 wrote to memory of 2896	3020	svchost.exe	33
PID 3020 wrote to memory of 2896	3020	svchost.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\Purchase Order# 210145.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order# 210145.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\Purchase Order# 210145.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order# 210145.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order# 210145.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1388-18-0x00000000070D0000-0x0000000007241000-memory.dmp

Filesize
1.4MB

Download
memory/1388-22-0x00000000070D0000-0x0000000007241000-memory.dmp

Filesize
1.4MB

Download
memory/2192-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2192-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2192-17-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/2192-14-0x0000000000880000-0x0000000000B83000-memory.dmp

Filesize
3.0MB

Download
memory/2192-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2192-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2192-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2272-7-0x0000000000CD0000-0x0000000000D24000-memory.dmp

Filesize
336KB

Download
memory/2272-3-0x00000000004A0000-0x00000000004BC000-memory.dmp

Filesize
112KB

Download
memory/2272-6-0x0000000005190000-0x0000000005216000-memory.dmp

Filesize
536KB

Download
memory/2272-13-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2272-5-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2272-4-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/2272-0-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/2272-2-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2272-1-0x0000000001390000-0x00000000014CC000-memory.dmp

Filesize
1.2MB

Download
memory/3020-19-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download
memory/3020-20-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download
memory/3020-21-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing