xloader | bf7c38d3b5d4ef19a6e80113d538e63e830eb39f073f3859352155c257ed0f8b

General

Target

Bridge_E12_4546786,pdf.exe
Size

993KB
MD5

f9e5c9b101838927e7980b6f4892820c
SHA1

091c3fdf81cb7bc59d338723d9938f5506944e5a
SHA256

a8664e0023a7f34579fff0976b8f7d63805fbd6ef14eeebd2d0bbdf3e16e785c
SHA512

0f8e845c64fc2e1ada39745b80215c8203ae214b4aa29daa42c945813bddbec40a42ae296727d6718d8af22e8285b7bc81d4a99f74f51c2b6429c9d7b3536cae
SSDEEP

24576:ueaakkaedlGmntd9xRXhYjICRRRRRjXtAmA5ZSE:ueaakkaed0a1xRCDRRRRRjdAmA/

Score

10^/10

xloader hw6d discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

hw6d

Decoy

medicare101now.com

danahillathletics.com

realjobexpert.com

boulderhalle-hamburg.com

idoweddinghair.com

awdcompanies.com

thevillaflora.com

neutrasystems.com

allwest-originals.com

designtehengsg.com

thenewyorker.computer

ladybugtubs.com

silina-beauty24.com

mifangtu.com

fashionbranddeveloper.com

istanbulhookah.com

askyoyo.com

osaka-computer.net

conegenie.com

agteless.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/1068-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1068-18-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2800-23-0x00000000012B0000-0x00000000012D9000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2588 set thread context of 1068	2588	Bridge_E12_4546786,pdf.exe	101
PID 1068 set thread context of 3484	1068	Bridge_E12_4546786,pdf.exe	56
PID 2800 set thread context of 3484	2800	chkdsk.exe	56

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bridge_E12_4546786,pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chkdsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2588	Bridge_E12_4546786,pdf.exe
2588	Bridge_E12_4546786,pdf.exe
2588	Bridge_E12_4546786,pdf.exe
2588	Bridge_E12_4546786,pdf.exe
2588	Bridge_E12_4546786,pdf.exe
1068	Bridge_E12_4546786,pdf.exe
1068	Bridge_E12_4546786,pdf.exe
1068	Bridge_E12_4546786,pdf.exe
1068	Bridge_E12_4546786,pdf.exe
2800	chkdsk.exe
2800	chkdsk.exe
2800	chkdsk.exe
2800	chkdsk.exe
2800	chkdsk.exe
2800	chkdsk.exe
2800	chkdsk.exe
2800	chkdsk.exe
2800	chkdsk.exe
2800	chkdsk.exe
2800	chkdsk.exe
2800	chkdsk.exe
2800	chkdsk.exe
2800	chkdsk.exe
2800	chkdsk.exe
2800	chkdsk.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1068	Bridge_E12_4546786,pdf.exe
1068	Bridge_E12_4546786,pdf.exe
1068	Bridge_E12_4546786,pdf.exe
2800	chkdsk.exe
2800	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	Bridge_E12_4546786,pdf.exe
Token: SeDebugPrivilege	1068	Bridge_E12_4546786,pdf.exe
Token: SeDebugPrivilege	2800	chkdsk.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 4752	2588	Bridge_E12_4546786,pdf.exe	100
PID 2588 wrote to memory of 4752	2588	Bridge_E12_4546786,pdf.exe	100
PID 2588 wrote to memory of 4752	2588	Bridge_E12_4546786,pdf.exe	100
PID 2588 wrote to memory of 1068	2588	Bridge_E12_4546786,pdf.exe	101
PID 2588 wrote to memory of 1068	2588	Bridge_E12_4546786,pdf.exe	101
PID 2588 wrote to memory of 1068	2588	Bridge_E12_4546786,pdf.exe	101
PID 2588 wrote to memory of 1068	2588	Bridge_E12_4546786,pdf.exe	101
PID 2588 wrote to memory of 1068	2588	Bridge_E12_4546786,pdf.exe	101
PID 2588 wrote to memory of 1068	2588	Bridge_E12_4546786,pdf.exe	101
PID 3484 wrote to memory of 2800	3484	Explorer.EXE	102
PID 3484 wrote to memory of 2800	3484	Explorer.EXE	102
PID 3484 wrote to memory of 2800	3484	Explorer.EXE	102
PID 2800 wrote to memory of 4344	2800	chkdsk.exe	103
PID 2800 wrote to memory of 4344	2800	chkdsk.exe	103
PID 2800 wrote to memory of 4344	2800	chkdsk.exe	103

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Local\Temp\Bridge_E12_4546786,pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Bridge_E12_4546786,pdf.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\Bridge_E12_4546786,pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Bridge_E12_4546786,pdf.exe"
    3⤵
    PID:4752
- - C:\Users\Admin\AppData\Local\Temp\Bridge_E12_4546786,pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Bridge_E12_4546786,pdf.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Bridge_E12_4546786,pdf.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1068-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1068-19-0x0000000001880000-0x0000000001890000-memory.dmp

Filesize
64KB

Download
memory/1068-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1068-16-0x00000000019C0000-0x0000000001D0A000-memory.dmp

Filesize
3.3MB

Download
memory/2588-12-0x0000000000D90000-0x0000000000DCE000-memory.dmp

Filesize
248KB

Download
memory/2588-3-0x0000000005420000-0x00000000059C4000-memory.dmp

Filesize
5.6MB

Download
memory/2588-6-0x0000000005100000-0x0000000005156000-memory.dmp

Filesize
344KB

Download
memory/2588-7-0x0000000074FB0000-0x0000000075760000-memory.dmp

Filesize
7.7MB

Download
memory/2588-8-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/2588-9-0x0000000074FBE000-0x0000000074FBF000-memory.dmp

Filesize
4KB

Download
memory/2588-10-0x0000000074FB0000-0x0000000075760000-memory.dmp

Filesize
7.7MB

Download
memory/2588-11-0x0000000000CD0000-0x0000000000D54000-memory.dmp

Filesize
528KB

Download
memory/2588-0-0x0000000074FBE000-0x0000000074FBF000-memory.dmp

Filesize
4KB

Download
memory/2588-4-0x0000000004F10000-0x0000000004FA2000-memory.dmp

Filesize
584KB

Download
memory/2588-15-0x0000000074FB0000-0x0000000075760000-memory.dmp

Filesize
7.7MB

Download
memory/2588-5-0x0000000004E80000-0x0000000004E8A000-memory.dmp

Filesize
40KB

Download
memory/2588-2-0x0000000004D40000-0x0000000004DDC000-memory.dmp

Filesize
624KB

Download
memory/2588-1-0x0000000000320000-0x000000000041E000-memory.dmp

Filesize
1016KB

Download
memory/2800-21-0x0000000000FB0000-0x0000000000FBA000-memory.dmp

Filesize
40KB

Download
memory/2800-22-0x0000000000FB0000-0x0000000000FBA000-memory.dmp

Filesize
40KB

Download
memory/2800-23-0x00000000012B0000-0x00000000012D9000-memory.dmp

Filesize
164KB

Download
memory/3484-20-0x0000000002800000-0x0000000002948000-memory.dmp

Filesize
1.3MB

Download
memory/3484-24-0x0000000002800000-0x0000000002948000-memory.dmp

Filesize
1.3MB

Download
memory/3484-26-0x0000000007E60000-0x0000000007F05000-memory.dmp

Filesize
660KB

Download
memory/3484-27-0x0000000007E60000-0x0000000007F05000-memory.dmp

Filesize
660KB

Download
memory/3484-29-0x0000000007E60000-0x0000000007F05000-memory.dmp

Filesize
660KB

Download

Analysis

Sharing