xloader | 57fde6ab463eabd779e138a0ef61807a8e587894d65e2a215378ab6ba9963429

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zwgay.dll
Size

9KB
MD5

dcc94fb3455b7726349f6b05f98a9f1e
SHA1

ea2160715cddfde302043c8f69b63a3c03bc651d
SHA256

3d3288ebb21a28f71417efa86b6a136cb37340f3542ce8e99b267c7b347f73ef
SHA512

b3d6e8cae4d6e693b7b726120627a6815d7c5f29c51be26df041edb970727548bdb961b469ed74bc767ab2e27a6be5650122e2b968e81cca0571667277bd6305
SSDEEP

192:lxRcBDJ0tI8S85DR8THYS1YNHgTs22FFVFUFF:DqBAxHzIHY0Y2TIrW

Score

10^/10

xloader ymri discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ymri

Decoy

cqmlhy.com

districtdisinfectant.com

canadohta.com

indipetals.com

zygjzz.com

bodybionixusa.com

myfoodiedoodie.com

littletinesonlinestore.com

zerofive100.com

odd-spaces.com

luxxnights.com

d-electric.com

fastkl.com

mywayinto.com

vitalpassion.com

usedmercedessprinters.net

caofeicao.com

emehciti.com

smartaider.com

ssgasika.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral4/memory/2412-1-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral4/memory/2412-5-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral4/memory/548-11-0x0000000001400000-0x0000000001428000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1608 set thread context of 2412	1608	rundll32.exe	84
PID 2412 set thread context of 3536	2412	rundll32.exe	56
PID 548 set thread context of 3536	548	mstsc.exe	56

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2412	rundll32.exe
2412	rundll32.exe
2412	rundll32.exe
2412	rundll32.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe
548	mstsc.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1608	rundll32.exe
2412	rundll32.exe
2412	rundll32.exe
2412	rundll32.exe
548	mstsc.exe
548	mstsc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	rundll32.exe
Token: SeDebugPrivilege	548	mstsc.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 1608	2652	rundll32.exe	83
PID 2652 wrote to memory of 1608	2652	rundll32.exe	83
PID 2652 wrote to memory of 1608	2652	rundll32.exe	83
PID 1608 wrote to memory of 2412	1608	rundll32.exe	84
PID 1608 wrote to memory of 2412	1608	rundll32.exe	84
PID 1608 wrote to memory of 2412	1608	rundll32.exe	84
PID 1608 wrote to memory of 2412	1608	rundll32.exe	84
PID 3536 wrote to memory of 548	3536	Explorer.EXE	85
PID 3536 wrote to memory of 548	3536	Explorer.EXE	85
PID 3536 wrote to memory of 548	3536	Explorer.EXE	85
PID 548 wrote to memory of 4360	548	mstsc.exe	89
PID 548 wrote to memory of 4360	548	mstsc.exe	89
PID 548 wrote to memory of 4360	548	mstsc.exe	89

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\zwgay.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\zwgay.dll,#1
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\zwgay.dll,#1
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2412
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\rundll32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/548-8-0x0000000000FF0000-0x000000000112A000-memory.dmp

Filesize
1.2MB

Download
memory/548-11-0x0000000001400000-0x0000000001428000-memory.dmp

Filesize
160KB

Download
memory/548-10-0x0000000000FF0000-0x000000000112A000-memory.dmp

Filesize
1.2MB

Download
memory/1608-2-0x0000000075420000-0x0000000075426000-memory.dmp

Filesize
24KB

Download
memory/1608-0-0x0000000075420000-0x0000000075426000-memory.dmp

Filesize
24KB

Download
memory/2412-3-0x0000000002F20000-0x000000000326A000-memory.dmp

Filesize
3.3MB

Download
memory/2412-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2412-6-0x0000000002E50000-0x0000000002E60000-memory.dmp

Filesize
64KB

Download
memory/2412-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3536-7-0x0000000003160000-0x000000000323D000-memory.dmp

Filesize
884KB

Download
memory/3536-12-0x0000000003160000-0x000000000323D000-memory.dmp

Filesize
884KB

Download
memory/3536-16-0x0000000008A70000-0x0000000008BEB000-memory.dmp

Filesize
1.5MB

Download
memory/3536-17-0x0000000008A70000-0x0000000008BEB000-memory.dmp

Filesize
1.5MB

Download
memory/3536-19-0x0000000008A70000-0x0000000008BEB000-memory.dmp

Filesize
1.5MB

Download