xloader | 7b3bfc65ac7152cce25cf081d9664f7d67912c5476c81cad7a380f761e3a03b5

General

Target

d792fce0604dfdc19ca20c9614279747dde1db7c7676dc05f4b3fb57371bd94f.exe
Size

231KB
MD5

a5cf2da4b8e2da3344041aca44c7758f
SHA1

1cf6b71f82329a596b8b5e260642d87e2b6cc589
SHA256

d792fce0604dfdc19ca20c9614279747dde1db7c7676dc05f4b3fb57371bd94f
SHA512

a43cfde76f345991d93a063f6293e7b652e370ef3cc666d09c3e7633e4d5181c6f5af1141f1517318be90c008891b61654c3293d12beca0c656caa158c4f7514
SSDEEP

6144:HNeZmIvj8f50yXpXKl7QO3Z6tZMWz7gnAo5y0:HNlIvjAb5XKxZ6jrg

Score

10^/10

xloader tuad discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

tuad

Decoy

luckycatcomedy.com

randomizedphotos.com

revisioneye.online

maccounts-re.store

quant-inox.com

yunzhouxf.com

storyqueen.online

momju.xyz

olodo.xyz

cclbeauty.com

funfoll.com

tomroosevelt.com

flixly.network

teruten8118.com

steaksandribs.com

thesustainablehippie.com

giorlinag.com

bickerstaff.xyz

14kfinishes.com

sendaisega.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2336-12-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/2336-15-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/2336-18-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral1/memory/1984-25-0x0000000000170000-0x000000000019B000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

pid	Process
2996	ajwid.exe
2336	ajwid.exe

Loads dropped DLL 2 IoCs

pid	Process
1908	d792fce0604dfdc19ca20c9614279747dde1db7c7676dc05f4b3fb57371bd94f.exe
2996	ajwid.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2996 set thread context of 2336	2996	ajwid.exe	31
PID 2336 set thread context of 1204	2336	ajwid.exe	21
PID 2336 set thread context of 1204	2336	ajwid.exe	21
PID 1984 set thread context of 1204	1984	wscript.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d792fce0604dfdc19ca20c9614279747dde1db7c7676dc05f4b3fb57371bd94f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajwid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2336	ajwid.exe
2336	ajwid.exe
2336	ajwid.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe
1984	wscript.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2336	ajwid.exe
2336	ajwid.exe
2336	ajwid.exe
2336	ajwid.exe
1984	wscript.exe
1984	wscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	ajwid.exe
Token: SeDebugPrivilege	1984	wscript.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2996	1908	d792fce0604dfdc19ca20c9614279747dde1db7c7676dc05f4b3fb57371bd94f.exe	30
PID 1908 wrote to memory of 2996	1908	d792fce0604dfdc19ca20c9614279747dde1db7c7676dc05f4b3fb57371bd94f.exe	30
PID 1908 wrote to memory of 2996	1908	d792fce0604dfdc19ca20c9614279747dde1db7c7676dc05f4b3fb57371bd94f.exe	30
PID 1908 wrote to memory of 2996	1908	d792fce0604dfdc19ca20c9614279747dde1db7c7676dc05f4b3fb57371bd94f.exe	30
PID 2996 wrote to memory of 2336	2996	ajwid.exe	31
PID 2996 wrote to memory of 2336	2996	ajwid.exe	31
PID 2996 wrote to memory of 2336	2996	ajwid.exe	31
PID 2996 wrote to memory of 2336	2996	ajwid.exe	31
PID 2996 wrote to memory of 2336	2996	ajwid.exe	31
PID 2996 wrote to memory of 2336	2996	ajwid.exe	31
PID 2996 wrote to memory of 2336	2996	ajwid.exe	31
PID 1204 wrote to memory of 1984	1204	Explorer.EXE	32
PID 1204 wrote to memory of 1984	1204	Explorer.EXE	32
PID 1204 wrote to memory of 1984	1204	Explorer.EXE	32
PID 1204 wrote to memory of 1984	1204	Explorer.EXE	32
PID 1984 wrote to memory of 2912	1984	wscript.exe	34
PID 1984 wrote to memory of 2912	1984	wscript.exe	34
PID 1984 wrote to memory of 2912	1984	wscript.exe	34
PID 1984 wrote to memory of 2912	1984	wscript.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\d792fce0604dfdc19ca20c9614279747dde1db7c7676dc05f4b3fb57371bd94f.exe
  "C:\Users\Admin\AppData\Local\Temp\d792fce0604dfdc19ca20c9614279747dde1db7c7676dc05f4b3fb57371bd94f.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Users\Admin\AppData\Local\Temp\ajwid.exe
    C:\Users\Admin\AppData\Local\Temp\ajwid.exe C:\Users\Admin\AppData\Local\Temp\zxycj
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\ajwid.exe
      C:\Users\Admin\AppData\Local\Temp\ajwid.exe C:\Users\Admin\AppData\Local\Temp\zxycj
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2336
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\ajwid.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sribayra72

Filesize
170KB

MD5
dd1cc5bbb767ffb2e97e8b5ccd6404cc

SHA1
8664402b4ef13c3b0381facefeeffc3e3c9d50a4

SHA256
f7eefa6eaa6b2d35bb48c8284d3db1acba29f6fa63e280cc4646151d2a444e74

SHA512
123a9d3db586dca6297850a02e6a5383621d13494511419ad98e561f061e4b17ef4f6b6ef91c46182b54848d9b79e75c7850ceafd5a7576217cef24ce270d5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxycj

Filesize
4KB

MD5
d9038f69b9e8e92e3ed9aa72a3671903

SHA1
ba871cdead478e5041a2b05820b0db2fb6dc0b17

SHA256
5d83228066971866553900c3386b6007d9f017692f5a5ceb2b618bcfed209080

SHA512
37fa67ce91a64e3cddfeab88acd88935cf01f16ce1b6c85ff01900e5fe514c703a551194bd28feddb2601ad9452ecd68ebbabdbfe133f770a1ed99a8845f3c48

Download Submit
\Users\Admin\AppData\Local\Temp\ajwid.exe

Filesize
75KB

MD5
f5a8c28b6e248b5659561e38d470194e

SHA1
cbd1de347792a8e6af98f18f2b25874fa0a3ae63

SHA256
5e570f5d793082ed4917eb4a955ac0ffdb5c10dbef53d663b8ed84e2820db7f9

SHA512
7ad2e97b30a65c259c0217c440fc16daaf8fd542a71fc9c1023a45381774bd8796b8ef80a72bd4d212663f9f911f9491b4e76cf42277dac84437da93c1155ddb

Download Submit
memory/1204-20-0x00000000077B0000-0x0000000007902000-memory.dmp

Filesize
1.3MB

Download
memory/1204-16-0x00000000050F0000-0x00000000051E8000-memory.dmp

Filesize
992KB

Download
memory/1204-19-0x00000000050F0000-0x00000000051E8000-memory.dmp

Filesize
992KB

Download
memory/1204-26-0x00000000077B0000-0x0000000007902000-memory.dmp

Filesize
1.3MB

Download
memory/1984-24-0x0000000000770000-0x0000000000796000-memory.dmp

Filesize
152KB

Download
memory/1984-23-0x0000000000770000-0x0000000000796000-memory.dmp

Filesize
152KB

Download
memory/1984-25-0x0000000000170000-0x000000000019B000-memory.dmp

Filesize
172KB

Download
memory/2336-12-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2336-15-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2336-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2996-9-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing