xloader | aa81ef808ba1357daf173ad9f18a9954b2c9173829e64033a38063768d4ea666

General

Target

Sparetronics - Line Card.exe
Size

790KB
MD5

0d15a3865c8e7c9ff7d9632969281f45
SHA1

3794ebfcda17346aa11f6a56ba05ed4ef1105642
SHA256

aac488250a4059c3a5fe215e9d37649ac3666e1acb0ffa9031d7a5b171f951e1
SHA512

2b1198db896cf56ee05f1ecada8da7bc809557d2364d92cadd9c64d2c573c2206cdd8b5e83b7ddc60ce15f1374eb8eeba139bff6656d1fc268a41176a1b91f4a
SSDEEP

12288:rSskqu7Es0xrVHB2kDRkAU7Ed1phEnUJp058NxjzCrwW7ZG9sVbXbs+XPgDdVAad:msCQrM74d1phEU48nCLss54dVAanpo

Score

10^/10

xloader sbjq discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

sbjq

Decoy

topbrandslook.xyz

kupilabs.com

cedrick.net

91mh.info

ajoph.net

finishtheverse.com

pondokquranaljariyah.com

happyhoopoe.com

lowcostfooddelivery.com

estudiosvacunacovid19-co.com

iestradanhhome.com

xn--caasymas-e3a.com

shopqls.com

wpnator.com

parentedagency.com

nundmshop.com

lodosmimarlik.com

ccidyy.xyz

bem-vestida.com

smartincomeafrica.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral2/memory/4884-8-0x0000000005080000-0x0000000005092000-memory.dmp	CustAttr

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/4620-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4620-18-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1732-24-0x0000000000F80000-0x0000000000FA9000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4884 set thread context of 4620	4884	Sparetronics - Line Card.exe	100
PID 4620 set thread context of 3396	4620	Sparetronics - Line Card.exe	56
PID 1732 set thread context of 3396	1732	cmd.exe	56

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sparetronics - Line Card.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
4884	Sparetronics - Line Card.exe
4884	Sparetronics - Line Card.exe
4884	Sparetronics - Line Card.exe
4884	Sparetronics - Line Card.exe
4884	Sparetronics - Line Card.exe
4620	Sparetronics - Line Card.exe
4620	Sparetronics - Line Card.exe
4620	Sparetronics - Line Card.exe
4620	Sparetronics - Line Card.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe
1732	cmd.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4620	Sparetronics - Line Card.exe
4620	Sparetronics - Line Card.exe
4620	Sparetronics - Line Card.exe
1732	cmd.exe
1732	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	Sparetronics - Line Card.exe
Token: SeDebugPrivilege	4620	Sparetronics - Line Card.exe
Token: SeDebugPrivilege	1732	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 3060	4884	Sparetronics - Line Card.exe	99
PID 4884 wrote to memory of 3060	4884	Sparetronics - Line Card.exe	99
PID 4884 wrote to memory of 3060	4884	Sparetronics - Line Card.exe	99
PID 4884 wrote to memory of 4620	4884	Sparetronics - Line Card.exe	100
PID 4884 wrote to memory of 4620	4884	Sparetronics - Line Card.exe	100
PID 4884 wrote to memory of 4620	4884	Sparetronics - Line Card.exe	100
PID 4884 wrote to memory of 4620	4884	Sparetronics - Line Card.exe	100
PID 4884 wrote to memory of 4620	4884	Sparetronics - Line Card.exe	100
PID 4884 wrote to memory of 4620	4884	Sparetronics - Line Card.exe	100
PID 3396 wrote to memory of 1732	3396	Explorer.EXE	101
PID 3396 wrote to memory of 1732	3396	Explorer.EXE	101
PID 3396 wrote to memory of 1732	3396	Explorer.EXE	101
PID 1732 wrote to memory of 4692	1732	cmd.exe	102
PID 1732 wrote to memory of 4692	1732	cmd.exe	102
PID 1732 wrote to memory of 4692	1732	cmd.exe	102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\AppData\Local\Temp\Sparetronics - Line Card.exe
  "C:\Users\Admin\AppData\Local\Temp\Sparetronics - Line Card.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\Sparetronics - Line Card.exe
    "C:\Users\Admin\AppData\Local\Temp\Sparetronics - Line Card.exe"
    3⤵
    PID:3060
- - C:\Users\Admin\AppData\Local\Temp\Sparetronics - Line Card.exe
    "C:\Users\Admin\AppData\Local\Temp\Sparetronics - Line Card.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4620
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Sparetronics - Line Card.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1732-24-0x0000000000F80000-0x0000000000FA9000-memory.dmp

Filesize
164KB

Download
memory/1732-21-0x0000000000EE0000-0x0000000000F3A000-memory.dmp

Filesize
360KB

Download
memory/1732-23-0x0000000000EE0000-0x0000000000F3A000-memory.dmp

Filesize
360KB

Download
memory/3396-30-0x0000000006F60000-0x0000000007056000-memory.dmp

Filesize
984KB

Download
memory/3396-29-0x0000000006F60000-0x0000000007056000-memory.dmp

Filesize
984KB

Download
memory/3396-27-0x0000000006F60000-0x0000000007056000-memory.dmp

Filesize
984KB

Download
memory/3396-25-0x00000000024D0000-0x000000000262B000-memory.dmp

Filesize
1.4MB

Download
memory/3396-20-0x00000000024D0000-0x000000000262B000-memory.dmp

Filesize
1.4MB

Download
memory/4620-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4620-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4620-19-0x00000000013A0000-0x00000000013B1000-memory.dmp

Filesize
68KB

Download
memory/4620-16-0x0000000001980000-0x0000000001CCA000-memory.dmp

Filesize
3.3MB

Download
memory/4884-6-0x0000000005230000-0x0000000005286000-memory.dmp

Filesize
344KB

Download
memory/4884-7-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/4884-15-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/4884-11-0x0000000000F20000-0x0000000000FD8000-memory.dmp

Filesize
736KB

Download
memory/4884-10-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/4884-9-0x000000007486E000-0x000000007486F000-memory.dmp

Filesize
4KB

Download
memory/4884-8-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/4884-12-0x0000000008460000-0x00000000084D4000-memory.dmp

Filesize
464KB

Download
memory/4884-0-0x000000007486E000-0x000000007486F000-memory.dmp

Filesize
4KB

Download
memory/4884-5-0x0000000004F40000-0x0000000004F4A000-memory.dmp

Filesize
40KB

Download
memory/4884-4-0x00000000050A0000-0x0000000005132000-memory.dmp

Filesize
584KB

Download
memory/4884-3-0x0000000005650000-0x0000000005BF4000-memory.dmp

Filesize
5.6MB

Download
memory/4884-2-0x0000000004FC0000-0x000000000505C000-memory.dmp

Filesize
624KB

Download
memory/4884-1-0x00000000005C0000-0x000000000068C000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing