xloader | 487037ef86c737e048438eb25320f0667558d8faac0e8795b05a81323dd6430e

Analysis

max time kernel
135s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f65dccca258ad9ea722aa7a66188f55f5f80a274bb9090a02f4c3b6d7ef9fe5e.exe
Size

533KB
MD5

74dcc6e092f153a156440a45476dd3d9
SHA1

9c625f5c2bde5235f406fe6d08e52d5c39d627ed
SHA256

f65dccca258ad9ea722aa7a66188f55f5f80a274bb9090a02f4c3b6d7ef9fe5e
SHA512

c33a3a6f59666c90947967520b82d8a77abd07bcfc13b9aadf5cedf641e3b337d68f21c93345a887371a06641ad88ece7074af146cd4fba021c68fce95363ab3
SSDEEP

12288:IgOUT6enUemHO2OxwYcosOmRm+meGbbp2:IFNu2O/uQdN2

Score

10^/10

xloader seqa discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

seqa

Decoy

alstartnpasumo5.xyz

jarvisbranding.com

kyiv-bdsm.club

hunttools.info

bantaleautomotiveengineers.com

comercioexpresschilpancingo.com

smallbusinessalliancegroup.com

swlawfirmok.com

marketciphermerch.com

gxmmvcn.icu

betwonsikayet.com

bise.tech

minismi2.com

bucklestylez.com

hereford-cattle.com

yufude.com

tangerineinit.com

destinyforfreedom.com

team-rwby-project.com

richardkmartinez.store

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2904-9-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4832 set thread context of 2904	4832	f65dccca258ad9ea722aa7a66188f55f5f80a274bb9090a02f4c3b6d7ef9fe5e.exe	90

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f65dccca258ad9ea722aa7a66188f55f5f80a274bb9090a02f4c3b6d7ef9fe5e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2904	f65dccca258ad9ea722aa7a66188f55f5f80a274bb9090a02f4c3b6d7ef9fe5e.exe
2904	f65dccca258ad9ea722aa7a66188f55f5f80a274bb9090a02f4c3b6d7ef9fe5e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4832	f65dccca258ad9ea722aa7a66188f55f5f80a274bb9090a02f4c3b6d7ef9fe5e.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 2904	4832	f65dccca258ad9ea722aa7a66188f55f5f80a274bb9090a02f4c3b6d7ef9fe5e.exe	90
PID 4832 wrote to memory of 2904	4832	f65dccca258ad9ea722aa7a66188f55f5f80a274bb9090a02f4c3b6d7ef9fe5e.exe	90
PID 4832 wrote to memory of 2904	4832	f65dccca258ad9ea722aa7a66188f55f5f80a274bb9090a02f4c3b6d7ef9fe5e.exe	90
PID 4832 wrote to memory of 2904	4832	f65dccca258ad9ea722aa7a66188f55f5f80a274bb9090a02f4c3b6d7ef9fe5e.exe	90
PID 4832 wrote to memory of 2904	4832	f65dccca258ad9ea722aa7a66188f55f5f80a274bb9090a02f4c3b6d7ef9fe5e.exe	90
PID 4832 wrote to memory of 2904	4832	f65dccca258ad9ea722aa7a66188f55f5f80a274bb9090a02f4c3b6d7ef9fe5e.exe	90

C:\Users\Admin\AppData\Local\Temp\f65dccca258ad9ea722aa7a66188f55f5f80a274bb9090a02f4c3b6d7ef9fe5e.exe
"C:\Users\Admin\AppData\Local\Temp\f65dccca258ad9ea722aa7a66188f55f5f80a274bb9090a02f4c3b6d7ef9fe5e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\Temp\f65dccca258ad9ea722aa7a66188f55f5f80a274bb9090a02f4c3b6d7ef9fe5e.exe
  "C:\Users\Admin\AppData\Local\Temp\f65dccca258ad9ea722aa7a66188f55f5f80a274bb9090a02f4c3b6d7ef9fe5e.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2904-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2904-10-0x0000000001850000-0x0000000001B9A000-memory.dmp

Filesize
3.3MB

Download
memory/4832-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/4832-1-0x0000000000E80000-0x0000000000F0A000-memory.dmp

Filesize
552KB

Download
memory/4832-2-0x0000000005450000-0x00000000059F4000-memory.dmp

Filesize
5.6MB

Download
memory/4832-3-0x0000000004F40000-0x0000000004FD2000-memory.dmp

Filesize
584KB

Download
memory/4832-4-0x0000000005050000-0x00000000050B6000-memory.dmp

Filesize
408KB

Download
memory/4832-5-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/4832-6-0x0000000005000000-0x000000000500A000-memory.dmp

Filesize
40KB

Download
memory/4832-7-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/4832-8-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download