xloader | d4c15f27fc4c4f69dc55491818d8249e8605c2b308615832f054012279d9f0cf

General

Target

Craig_Group_Quotation,pdf.exe
Size

1.1MB
MD5

a885699fd3e6da80b574541565df717e
SHA1

fa98d786dd5ec70400573dde7301ac6c6eb8e720
SHA256

7541f828539e1c7ddccbb3c581886958b16c8016675ac2fb2dd9998bd1dc1161
SHA512

9711111833a07fe9f4366b928ce3c1cd9d7eee270129972a0260864432214c931c7356bcb0d874701407f812b0a64e0254f4a74d96ac4900e3f971156989b83d
SSDEEP

24576:QTOxcq/gHU5/d3dK64J5IHuH4oJiA+wneFl4MxgalS:QTOxpK64JyOYoEX4MOX

Score

10^/10

xloader rqe8 discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

rqe8

Decoy

bjft.net

abrosnm3.com

badlistens.com

signal-japan.com

schaka.com

kingdompersonalbranding.com

sewmenship.com

lzproperty.com

mojoimpacthosting.com

carinsurancecoverage.care

corporatemercadona.com

mobileswash.com

forevercelebration2026.com

co-het.com

bellesherlou.com

commentsoldgolf.com

onlytwod.group

utesco.info

martstrip.com

onszdgu.icu

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral2/memory/3976-8-0x0000000005C20000-0x0000000005C32000-memory.dmp	CustAttr

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/644-13-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/644-18-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/60-24-0x0000000000C20000-0x0000000000C48000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3976 set thread context of 644	3976	Craig_Group_Quotation,pdf.exe	99
PID 644 set thread context of 3456	644	Craig_Group_Quotation,pdf.exe	56
PID 60 set thread context of 3456	60	wlanext.exe	56

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlanext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Craig_Group_Quotation,pdf.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
644	Craig_Group_Quotation,pdf.exe
644	Craig_Group_Quotation,pdf.exe
644	Craig_Group_Quotation,pdf.exe
644	Craig_Group_Quotation,pdf.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe
60	wlanext.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
644	Craig_Group_Quotation,pdf.exe
644	Craig_Group_Quotation,pdf.exe
644	Craig_Group_Quotation,pdf.exe
60	wlanext.exe
60	wlanext.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	644	Craig_Group_Quotation,pdf.exe
Token: SeDebugPrivilege	60	wlanext.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 644	3976	Craig_Group_Quotation,pdf.exe	99
PID 3976 wrote to memory of 644	3976	Craig_Group_Quotation,pdf.exe	99
PID 3976 wrote to memory of 644	3976	Craig_Group_Quotation,pdf.exe	99
PID 3976 wrote to memory of 644	3976	Craig_Group_Quotation,pdf.exe	99
PID 3976 wrote to memory of 644	3976	Craig_Group_Quotation,pdf.exe	99
PID 3976 wrote to memory of 644	3976	Craig_Group_Quotation,pdf.exe	99
PID 3456 wrote to memory of 60	3456	Explorer.EXE	100
PID 3456 wrote to memory of 60	3456	Explorer.EXE	100
PID 3456 wrote to memory of 60	3456	Explorer.EXE	100
PID 60 wrote to memory of 1784	60	wlanext.exe	101
PID 60 wrote to memory of 1784	60	wlanext.exe	101
PID 60 wrote to memory of 1784	60	wlanext.exe	101

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Users\Admin\AppData\Local\Temp\Craig_Group_Quotation,pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Craig_Group_Quotation,pdf.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Users\Admin\AppData\Local\Temp\Craig_Group_Quotation,pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Craig_Group_Quotation,pdf.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:644
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Craig_Group_Quotation,pdf.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-24-0x0000000000C20000-0x0000000000C48000-memory.dmp

Filesize
160KB

Download
memory/60-21-0x0000000000890000-0x00000000008A7000-memory.dmp

Filesize
92KB

Download
memory/60-23-0x0000000000890000-0x00000000008A7000-memory.dmp

Filesize
92KB

Download
memory/644-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/644-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/644-19-0x0000000001210000-0x0000000001220000-memory.dmp

Filesize
64KB

Download
memory/644-16-0x00000000012B0000-0x00000000015FA000-memory.dmp

Filesize
3.3MB

Download
memory/3456-30-0x0000000008810000-0x000000000893E000-memory.dmp

Filesize
1.2MB

Download
memory/3456-29-0x0000000008810000-0x000000000893E000-memory.dmp

Filesize
1.2MB

Download
memory/3456-25-0x0000000008350000-0x00000000084A1000-memory.dmp

Filesize
1.3MB

Download
memory/3456-20-0x0000000008350000-0x00000000084A1000-memory.dmp

Filesize
1.3MB

Download
memory/3976-6-0x00000000056F0000-0x00000000056FA000-memory.dmp

Filesize
40KB

Download
memory/3976-7-0x0000000005940000-0x0000000005996000-memory.dmp

Filesize
344KB

Download
memory/3976-11-0x0000000006F70000-0x0000000006FE8000-memory.dmp

Filesize
480KB

Download
memory/3976-15-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/3976-10-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/3976-9-0x00000000744BE000-0x00000000744BF000-memory.dmp

Filesize
4KB

Download
memory/3976-8-0x0000000005C20000-0x0000000005C32000-memory.dmp

Filesize
72KB

Download
memory/3976-12-0x0000000006FF0000-0x0000000007020000-memory.dmp

Filesize
192KB

Download
memory/3976-0-0x00000000744BE000-0x00000000744BF000-memory.dmp

Filesize
4KB

Download
memory/3976-5-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/3976-4-0x0000000005750000-0x00000000057E2000-memory.dmp

Filesize
584KB

Download
memory/3976-3-0x0000000005C60000-0x0000000006204000-memory.dmp

Filesize
5.6MB

Download
memory/3976-2-0x0000000005610000-0x00000000056AC000-memory.dmp

Filesize
624KB

Download
memory/3976-1-0x0000000000B20000-0x0000000000C3E000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing