xloader | 57fde6ab463eabd779e138a0ef61807a8e587894d65e2a215378ab6ba9963429

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rev inv07014.exe
Size

190KB
MD5

279122d3d89dab6a1b1a3a44931eb9a9
SHA1

df6f4453f8540c7a0f26a69c07907b3880ef7ffa
SHA256

758e43dcb865272b3fd6830e51e6875b9eeed7ad2734f0ceb4c5915c14fabb8a
SHA512

1e50c1a2d64adcde4dadc336e1e5de7c1ac030c9f7185f45e9021c914415e676a05c89de23563d401ef853129c7bc30ca2a6fa4d181ee0c277785ca40d8d8ae6
SSDEEP

3072:iBkfJpRXATwMdFCcGb/WfMwskKgw/01e7sm1QuQ1/oUsQSI4k0ZvSJlKVhrFz:iqjIKOfHsrD/01Esm1Q9nTSfbZvwKVdN

Score

10^/10

xloader ymri discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ymri

Decoy

cqmlhy.com

districtdisinfectant.com

canadohta.com

indipetals.com

zygjzz.com

bodybionixusa.com

myfoodiedoodie.com

littletinesonlinestore.com

zerofive100.com

odd-spaces.com

luxxnights.com

d-electric.com

fastkl.com

mywayinto.com

vitalpassion.com

usedmercedessprinters.net

caofeicao.com

emehciti.com

smartaider.com

ssgasika.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1684-5-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/1684-8-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/1684-11-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/4836-19-0x0000000000B50000-0x0000000000B78000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

pid	Process
3196	rev inv07014.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3196 set thread context of 1684	3196	rev inv07014.exe	84
PID 1684 set thread context of 3408	1684	rev inv07014.exe	56
PID 1684 set thread context of 3408	1684	rev inv07014.exe	56
PID 4836 set thread context of 3408	4836	mstsc.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rev inv07014.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1684	rev inv07014.exe
1684	rev inv07014.exe
1684	rev inv07014.exe
1684	rev inv07014.exe
1684	rev inv07014.exe
1684	rev inv07014.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe
4836	mstsc.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
3196	rev inv07014.exe
1684	rev inv07014.exe
1684	rev inv07014.exe
1684	rev inv07014.exe
1684	rev inv07014.exe
4836	mstsc.exe
4836	mstsc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	rev inv07014.exe
Token: SeDebugPrivilege	4836	mstsc.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 1684	3196	rev inv07014.exe	84
PID 3196 wrote to memory of 1684	3196	rev inv07014.exe	84
PID 3196 wrote to memory of 1684	3196	rev inv07014.exe	84
PID 3196 wrote to memory of 1684	3196	rev inv07014.exe	84
PID 3408 wrote to memory of 4836	3408	Explorer.EXE	89
PID 3408 wrote to memory of 4836	3408	Explorer.EXE	89
PID 3408 wrote to memory of 4836	3408	Explorer.EXE	89
PID 4836 wrote to memory of 720	4836	mstsc.exe	91
PID 4836 wrote to memory of 720	4836	mstsc.exe	91
PID 4836 wrote to memory of 720	4836	mstsc.exe	91

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Users\Admin\AppData\Local\Temp\rev inv07014.exe
  "C:\Users\Admin\AppData\Local\Temp\rev inv07014.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Users\Admin\AppData\Local\Temp\rev inv07014.exe
    "C:\Users\Admin\AppData\Local\Temp\rev inv07014.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\rev inv07014.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zwgay.dll

Filesize
9KB

MD5
dcc94fb3455b7726349f6b05f98a9f1e

SHA1
ea2160715cddfde302043c8f69b63a3c03bc651d

SHA256
3d3288ebb21a28f71417efa86b6a136cb37340f3542ce8e99b267c7b347f73ef

SHA512
b3d6e8cae4d6e693b7b726120627a6815d7c5f29c51be26df041edb970727548bdb961b469ed74bc767ab2e27a6be5650122e2b968e81cca0571667277bd6305

Download Submit
memory/1684-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1684-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1684-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3196-3-0x0000000074370000-0x0000000074376000-memory.dmp

Filesize
24KB

Download
memory/3196-6-0x0000000074370000-0x0000000074376000-memory.dmp

Filesize
24KB

Download
memory/3408-13-0x0000000003300000-0x000000000347C000-memory.dmp

Filesize
1.5MB

Download
memory/3408-12-0x00000000086C0000-0x00000000087F9000-memory.dmp

Filesize
1.2MB

Download
memory/3408-9-0x0000000003300000-0x000000000347C000-memory.dmp

Filesize
1.5MB

Download
memory/3408-20-0x00000000086C0000-0x00000000087F9000-memory.dmp

Filesize
1.2MB

Download
memory/3408-23-0x0000000008E80000-0x0000000008F64000-memory.dmp

Filesize
912KB

Download
memory/3408-25-0x0000000008E80000-0x0000000008F64000-memory.dmp

Filesize
912KB

Download
memory/3408-26-0x0000000008E80000-0x0000000008F64000-memory.dmp

Filesize
912KB

Download
memory/4836-16-0x00000000000F0000-0x000000000022A000-memory.dmp

Filesize
1.2MB

Download
memory/4836-18-0x00000000000F0000-0x000000000022A000-memory.dmp

Filesize
1.2MB

Download
memory/4836-19-0x0000000000B50000-0x0000000000B78000-memory.dmp

Filesize
160KB

Download