xloader | 6a320de21bbba1a93f56eee513ec18a594ac1caa754c9ce946863022bbf62ceb

Analysis

max time kernel
148s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a320de21bbba1a93f56eee513ec18a594ac1caa754c9ce946863022bbf62ceb.exe
Size

338KB
MD5

1ee227ec277bbf25bf8657dc0379eb8e
SHA1

afc9a4fe432148cc5113357d7ba845f5dcec4aad
SHA256

6a320de21bbba1a93f56eee513ec18a594ac1caa754c9ce946863022bbf62ceb
SHA512

7708f75ff5ac684c8a885eb4397d96e6af0084fd9ff9748eef3c9468669b6d1c86679bcba834c134e814b46b989508a373c9ff74595f5e1cd0b88887d2209efb
SSDEEP

6144:TxDf9Q//uNLa8UBanwMhumZGiANdNDKFiIeWyb1JoRtz6D:0/uManFhumZIpdJW+gtOD

Score

10^/10

xloader rzwo discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

rzwo

Decoy

1metroband.com

erobal.com

zzyykx.com

chamallino.com

ehrlichforjustice.com

fzshangmao.net

bulkprices.info

schlafen.xyz

footspan.com

jano5tau.xyz

ukrainianwriters.com

clf010.com

kgvf.email

matura-natural.com

life23.club

yuanxuhuafu.com

autism-101.com

lithiumhexafluorophosphate.net

ducer.info

tender.guru

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2676-14-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2676-16-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2676-19-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1680-25-0x00000000001D0000-0x00000000001F9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

pid	Process
2736	drfgruezwu.exe
2676	drfgruezwu.exe

Loads dropped DLL 2 IoCs

pid	Process
3004	6a320de21bbba1a93f56eee513ec18a594ac1caa754c9ce946863022bbf62ceb.exe
2736	drfgruezwu.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2736 set thread context of 2676	2736	drfgruezwu.exe	31
PID 2676 set thread context of 1280	2676	drfgruezwu.exe	21
PID 2676 set thread context of 1280	2676	drfgruezwu.exe	21
PID 1680 set thread context of 1280	1680	netsh.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drfgruezwu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a320de21bbba1a93f56eee513ec18a594ac1caa754c9ce946863022bbf62ceb.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2676	drfgruezwu.exe
2676	drfgruezwu.exe
2676	drfgruezwu.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe
1680	netsh.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2676	drfgruezwu.exe
2676	drfgruezwu.exe
2676	drfgruezwu.exe
2676	drfgruezwu.exe
1680	netsh.exe
1680	netsh.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	drfgruezwu.exe
Token: SeDebugPrivilege	1680	netsh.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2736	3004	6a320de21bbba1a93f56eee513ec18a594ac1caa754c9ce946863022bbf62ceb.exe	30
PID 3004 wrote to memory of 2736	3004	6a320de21bbba1a93f56eee513ec18a594ac1caa754c9ce946863022bbf62ceb.exe	30
PID 3004 wrote to memory of 2736	3004	6a320de21bbba1a93f56eee513ec18a594ac1caa754c9ce946863022bbf62ceb.exe	30
PID 3004 wrote to memory of 2736	3004	6a320de21bbba1a93f56eee513ec18a594ac1caa754c9ce946863022bbf62ceb.exe	30
PID 2736 wrote to memory of 2676	2736	drfgruezwu.exe	31
PID 2736 wrote to memory of 2676	2736	drfgruezwu.exe	31
PID 2736 wrote to memory of 2676	2736	drfgruezwu.exe	31
PID 2736 wrote to memory of 2676	2736	drfgruezwu.exe	31
PID 2736 wrote to memory of 2676	2736	drfgruezwu.exe	31
PID 2736 wrote to memory of 2676	2736	drfgruezwu.exe	31
PID 2736 wrote to memory of 2676	2736	drfgruezwu.exe	31
PID 1280 wrote to memory of 1680	1280	Explorer.EXE	55
PID 1280 wrote to memory of 1680	1280	Explorer.EXE	55
PID 1280 wrote to memory of 1680	1280	Explorer.EXE	55
PID 1280 wrote to memory of 1680	1280	Explorer.EXE	55
PID 1680 wrote to memory of 716	1680	netsh.exe	56
PID 1680 wrote to memory of 716	1680	netsh.exe	56
PID 1680 wrote to memory of 716	1680	netsh.exe	56
PID 1680 wrote to memory of 716	1680	netsh.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\6a320de21bbba1a93f56eee513ec18a594ac1caa754c9ce946863022bbf62ceb.exe
  "C:\Users\Admin\AppData\Local\Temp\6a320de21bbba1a93f56eee513ec18a594ac1caa754c9ce946863022bbf62ceb.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\drfgruezwu.exe
    C:\Users\Admin\AppData\Local\Temp\drfgruezwu.exe C:\Users\Admin\AppData\Local\Temp\flhuvaanr
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\drfgruezwu.exe
      C:\Users\Admin\AppData\Local\Temp\drfgruezwu.exe C:\Users\Admin\AppData\Local\Temp\flhuvaanr
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2676
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2796
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2140
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2864
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2812
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2684
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2560
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2848
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2552
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2548
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1908
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2772
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2696
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2568
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2636
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2452
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2528
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2536
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2948
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2944
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2316
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2952
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2208
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1200
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\drfgruezwu.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\flhuvaanr

Filesize
4KB

MD5
f04e7716091d2389032541ba8eeb87de

SHA1
8bec3857fda9bbb8f98182f728bbd054967679cf

SHA256
649cee55f8b6d06eacb6c7f3fd98a153873c66230bc1b17c8789fd8fa3ca0d40

SHA512
80bc5d21a755af9571462fc7e04e4f51d0515dd658bf001d3eae2922fca54423fb5f27d5da73bcedd4b7a6624ffadc18810270ed641e0f47160b02bde18c2417

Download Submit
C:\Users\Admin\AppData\Local\Temp\x6x2dqsyxlhw6i7v7rx

Filesize
211KB

MD5
f7b34417e6147b112144d1d9b50a0c2c

SHA1
1f089694334f36d7c29e89350294862e0d8043a7

SHA256
f956110ead3550c2d01cd7796c82d1e31de04513e29db33937ef0dea4358c2d0

SHA512
f53c9b1ad6abd969fcc2d55c67f961fb973f65b479c1c3d0ace139fc205f3d29bac1beb3f92fa9e6b3cbcba788eaef3a42f2989d8dbb3c7ffaa0cc6610a43731

Download Submit
\Users\Admin\AppData\Local\Temp\drfgruezwu.exe

Filesize
235KB

MD5
ce84e0de135e04f77cadb28f8c216367

SHA1
fa583c32020b084e748bf263d120fcfe4ccc324f

SHA256
4a5824da0a6b328ddcf55a46e71ae5648c3c2fb3ce8e39add28de82c3e97ef5b

SHA512
47e14f190c782dc703468d4751b39865f3274de2b9cd35652d906e07c3f7da1014173284b14be8041d1ab9eeca0dd878ce290d9342b057b85d2cf4dd1cc72071

Download Submit
memory/1280-17-0x0000000006790000-0x00000000068AF000-memory.dmp

Filesize
1.1MB

Download
memory/1280-20-0x00000000045C0000-0x00000000046AF000-memory.dmp

Filesize
956KB

Download
memory/1280-21-0x0000000006790000-0x00000000068AF000-memory.dmp

Filesize
1.1MB

Download
memory/1280-27-0x00000000045C0000-0x00000000046AF000-memory.dmp

Filesize
956KB

Download
memory/1680-24-0x0000000000D50000-0x0000000000D6B000-memory.dmp

Filesize
108KB

Download
memory/1680-25-0x00000000001D0000-0x00000000001F9000-memory.dmp

Filesize
164KB

Download
memory/2676-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2676-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2676-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2736-8-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download