xloader | 57fde6ab463eabd779e138a0ef61807a8e587894d65e2a215378ab6ba9963429

General

Target

zwgay.dll
Size

9KB
MD5

dcc94fb3455b7726349f6b05f98a9f1e
SHA1

ea2160715cddfde302043c8f69b63a3c03bc651d
SHA256

3d3288ebb21a28f71417efa86b6a136cb37340f3542ce8e99b267c7b347f73ef
SHA512

b3d6e8cae4d6e693b7b726120627a6815d7c5f29c51be26df041edb970727548bdb961b469ed74bc767ab2e27a6be5650122e2b968e81cca0571667277bd6305
SSDEEP

192:lxRcBDJ0tI8S85DR8THYS1YNHgTs22FFVFUFF:DqBAxHzIHY0Y2TIrW

Score

10^/10

xloader ymri discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ymri

Decoy

cqmlhy.com

districtdisinfectant.com

canadohta.com

indipetals.com

zygjzz.com

bodybionixusa.com

myfoodiedoodie.com

littletinesonlinestore.com

zerofive100.com

odd-spaces.com

luxxnights.com

d-electric.com

fastkl.com

mywayinto.com

vitalpassion.com

usedmercedessprinters.net

caofeicao.com

emehciti.com

smartaider.com

ssgasika.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral3/memory/2284-4-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral3/memory/2284-8-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral3/memory/1476-14-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2468 set thread context of 2284	2468	rundll32.exe	32
PID 2284 set thread context of 1216	2284	rundll32.exe	21
PID 1476 set thread context of 1216	1476	explorer.exe	21

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2284	rundll32.exe
2284	rundll32.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2468	rundll32.exe
2284	rundll32.exe
2284	rundll32.exe
2284	rundll32.exe
1476	explorer.exe
1476	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2284	rundll32.exe
Token: SeDebugPrivilege	1476	explorer.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2468	2464	rundll32.exe	31
PID 2464 wrote to memory of 2468	2464	rundll32.exe	31
PID 2464 wrote to memory of 2468	2464	rundll32.exe	31
PID 2464 wrote to memory of 2468	2464	rundll32.exe	31
PID 2464 wrote to memory of 2468	2464	rundll32.exe	31
PID 2464 wrote to memory of 2468	2464	rundll32.exe	31
PID 2464 wrote to memory of 2468	2464	rundll32.exe	31
PID 2468 wrote to memory of 2284	2468	rundll32.exe	32
PID 2468 wrote to memory of 2284	2468	rundll32.exe	32
PID 2468 wrote to memory of 2284	2468	rundll32.exe	32
PID 2468 wrote to memory of 2284	2468	rundll32.exe	32
PID 2468 wrote to memory of 2284	2468	rundll32.exe	32
PID 2468 wrote to memory of 2284	2468	rundll32.exe	32
PID 2468 wrote to memory of 2284	2468	rundll32.exe	32
PID 2468 wrote to memory of 2284	2468	rundll32.exe	32
PID 1216 wrote to memory of 1476	1216	Explorer.EXE	33
PID 1216 wrote to memory of 1476	1216	Explorer.EXE	33
PID 1216 wrote to memory of 1476	1216	Explorer.EXE	33
PID 1216 wrote to memory of 1476	1216	Explorer.EXE	33
PID 1476 wrote to memory of 2156	1476	explorer.exe	34
PID 1476 wrote to memory of 2156	1476	explorer.exe	34
PID 1476 wrote to memory of 2156	1476	explorer.exe	34
PID 1476 wrote to memory of 2156	1476	explorer.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\zwgay.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\zwgay.dll,#1
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\zwgay.dll,#1
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2284
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\rundll32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1216-11-0x0000000005080000-0x00000000051BF000-memory.dmp

Filesize
1.2MB

Download
memory/1216-15-0x0000000005080000-0x00000000051BF000-memory.dmp

Filesize
1.2MB

Download
memory/1476-14-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1476-13-0x00000000007C0000-0x0000000000A41000-memory.dmp

Filesize
2.5MB

Download
memory/1476-12-0x00000000007C0000-0x0000000000A41000-memory.dmp

Filesize
2.5MB

Download
memory/2284-6-0x0000000002110000-0x0000000002413000-memory.dmp

Filesize
3.0MB

Download
memory/2284-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2284-10-0x00000000001A0000-0x00000000001B0000-memory.dmp

Filesize
64KB

Download
memory/2284-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2468-1-0x00000000754D0000-0x00000000754D6000-memory.dmp

Filesize
24KB

Download
memory/2468-5-0x00000000754D0000-0x00000000754D6000-memory.dmp

Filesize
24KB

Download
memory/2468-0-0x00000000754E0000-0x00000000754E6000-memory.dmp

Filesize
24KB

Download
memory/2468-2-0x00000000754E0000-0x00000000754E6000-memory.dmp

Filesize
24KB

Download
memory/2468-3-0x00000000754D0000-0x00000000754D6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing