xloader | aa81ef808ba1357daf173ad9f18a9954b2c9173829e64033a38063768d4ea666

General

Target

Sparetronics - Line Card.exe
Size

790KB
MD5

0d15a3865c8e7c9ff7d9632969281f45
SHA1

3794ebfcda17346aa11f6a56ba05ed4ef1105642
SHA256

aac488250a4059c3a5fe215e9d37649ac3666e1acb0ffa9031d7a5b171f951e1
SHA512

2b1198db896cf56ee05f1ecada8da7bc809557d2364d92cadd9c64d2c573c2206cdd8b5e83b7ddc60ce15f1374eb8eeba139bff6656d1fc268a41176a1b91f4a
SSDEEP

12288:rSskqu7Es0xrVHB2kDRkAU7Ed1phEnUJp058NxjzCrwW7ZG9sVbXbs+XPgDdVAad:msCQrM74d1phEU48nCLss54dVAanpo

Score

10^/10

xloader sbjq discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

sbjq

Decoy

topbrandslook.xyz

kupilabs.com

cedrick.net

91mh.info

ajoph.net

finishtheverse.com

pondokquranaljariyah.com

happyhoopoe.com

lowcostfooddelivery.com

estudiosvacunacovid19-co.com

iestradanhhome.com

xn--caasymas-e3a.com

shopqls.com

wpnator.com

parentedagency.com

nundmshop.com

lodosmimarlik.com

ccidyy.xyz

bem-vestida.com

smartincomeafrica.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral1/memory/392-3-0x0000000000760000-0x0000000000772000-memory.dmp	CustAttr

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2508-14-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2508-18-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2508-22-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/3064-28-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

pid	Process
1144	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 392 set thread context of 2508	392	Sparetronics - Line Card.exe	29
PID 2508 set thread context of 1360	2508	Sparetronics - Line Card.exe	20
PID 2508 set thread context of 1360	2508	Sparetronics - Line Card.exe	20
PID 3064 set thread context of 1360	3064	wlanext.exe	20

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sparetronics - Line Card.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlanext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
392	Sparetronics - Line Card.exe
392	Sparetronics - Line Card.exe
2508	Sparetronics - Line Card.exe
2508	Sparetronics - Line Card.exe
2508	Sparetronics - Line Card.exe
3064	wlanext.exe
3064	wlanext.exe
3064	wlanext.exe
3064	wlanext.exe
3064	wlanext.exe
3064	wlanext.exe
3064	wlanext.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2508	Sparetronics - Line Card.exe
2508	Sparetronics - Line Card.exe
2508	Sparetronics - Line Card.exe
2508	Sparetronics - Line Card.exe
3064	wlanext.exe
3064	wlanext.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	392	Sparetronics - Line Card.exe
Token: SeDebugPrivilege	2508	Sparetronics - Line Card.exe
Token: SeDebugPrivilege	3064	wlanext.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 2508	392	Sparetronics - Line Card.exe	29
PID 392 wrote to memory of 2508	392	Sparetronics - Line Card.exe	29
PID 392 wrote to memory of 2508	392	Sparetronics - Line Card.exe	29
PID 392 wrote to memory of 2508	392	Sparetronics - Line Card.exe	29
PID 392 wrote to memory of 2508	392	Sparetronics - Line Card.exe	29
PID 392 wrote to memory of 2508	392	Sparetronics - Line Card.exe	29
PID 392 wrote to memory of 2508	392	Sparetronics - Line Card.exe	29
PID 1360 wrote to memory of 3064	1360	Explorer.EXE	30
PID 1360 wrote to memory of 3064	1360	Explorer.EXE	30
PID 1360 wrote to memory of 3064	1360	Explorer.EXE	30
PID 1360 wrote to memory of 3064	1360	Explorer.EXE	30
PID 3064 wrote to memory of 1144	3064	wlanext.exe	31
PID 3064 wrote to memory of 1144	3064	wlanext.exe	31
PID 3064 wrote to memory of 1144	3064	wlanext.exe	31
PID 3064 wrote to memory of 1144	3064	wlanext.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Users\Admin\AppData\Local\Temp\Sparetronics - Line Card.exe
  "C:\Users\Admin\AppData\Local\Temp\Sparetronics - Line Card.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Users\Admin\AppData\Local\Temp\Sparetronics - Line Card.exe
    "C:\Users\Admin\AppData\Local\Temp\Sparetronics - Line Card.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Sparetronics - Line Card.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/392-15-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/392-2-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/392-0-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/392-3-0x0000000000760000-0x0000000000772000-memory.dmp

Filesize
72KB

Download
memory/392-1-0x00000000002A0000-0x000000000036C000-memory.dmp

Filesize
816KB

Download
memory/392-5-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/392-6-0x0000000005000000-0x00000000050B8000-memory.dmp

Filesize
736KB

Download
memory/392-7-0x0000000005220000-0x0000000005294000-memory.dmp

Filesize
464KB

Download
memory/392-4-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/1360-24-0x0000000007350000-0x00000000074AE000-memory.dmp

Filesize
1.4MB

Download
memory/1360-20-0x0000000006BF0000-0x0000000006D60000-memory.dmp

Filesize
1.4MB

Download
memory/1360-29-0x0000000007350000-0x00000000074AE000-memory.dmp

Filesize
1.4MB

Download
memory/1360-25-0x0000000006BF0000-0x0000000006D60000-memory.dmp

Filesize
1.4MB

Download
memory/2508-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2508-19-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2508-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2508-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2508-23-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2508-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2508-16-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/2508-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2508-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3064-27-0x00000000008A0000-0x00000000008B6000-memory.dmp

Filesize
88KB

Download
memory/3064-26-0x00000000008A0000-0x00000000008B6000-memory.dmp

Filesize
88KB

Download
memory/3064-28-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing