xloader | 76c26d7e1b8e4ae914d3a870d540727bb5ea195777e0d77ee3d83340cfba8082

General

Target

M7SkDQIpuSpt4KR.exe
Size

690KB
MD5

2667b7eff8a62d63f951fcb39018a0d3
SHA1

76565ed25b4032ae6624ae665651dbc0b87cb591
SHA256

1fb328a56a2d1a4a30e135a597bf06565d1158e93983622ed6f35af046e66d09
SHA512

6789fbb7873fb28d87ec8fe3c6247cd6d8992b1cfde94f828b08f76c60f19de8cd1f0402822ce2e00568d03013ce985bdbf46cee4a3c22f1b2913bc581592a12
SSDEEP

12288:JBzcmhiTtohcWTShZupbhIRebp1SJJoGF+AHO8JY3D/ixBFmRq:JBomhiZJW4MvIR+1+CXd8Jsi1Wq

Score

10^/10

xloader e6wb discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

e6wb

Decoy

assetto.tech

surendramishra.com

bravohealthyskin.com

ipadzones.com

odmitatrends.quest

yfly633.xyz

firstwavegallery.com

moviedmine.com

hdcenergy.com

elbarcotechnology.com

sns-regionv.com

helmiaj.com

asgmedicalservice.store

siraestilistas.com

vbux.xyz

learnstarting.com

oceanmap.store

fullyloadedfiresticks.com

bingojx.com

airelibrerevista.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2928-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2928-17-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2744-24-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

pid	Process
2608	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3004 set thread context of 2928	3004	M7SkDQIpuSpt4KR.exe	29
PID 2928 set thread context of 1188	2928	M7SkDQIpuSpt4KR.exe	20
PID 2744 set thread context of 1188	2744	NETSTAT.EXE	20

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M7SkDQIpuSpt4KR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2744	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2928	M7SkDQIpuSpt4KR.exe
2928	M7SkDQIpuSpt4KR.exe
2744	NETSTAT.EXE
2744	NETSTAT.EXE
2744	NETSTAT.EXE
2744	NETSTAT.EXE
2744	NETSTAT.EXE
2744	NETSTAT.EXE
2744	NETSTAT.EXE
2744	NETSTAT.EXE
2744	NETSTAT.EXE
2744	NETSTAT.EXE
2744	NETSTAT.EXE
2744	NETSTAT.EXE
2744	NETSTAT.EXE
2744	NETSTAT.EXE
2744	NETSTAT.EXE
2744	NETSTAT.EXE
2744	NETSTAT.EXE
2744	NETSTAT.EXE
2744	NETSTAT.EXE
2744	NETSTAT.EXE
2744	NETSTAT.EXE
2744	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2928	M7SkDQIpuSpt4KR.exe
2928	M7SkDQIpuSpt4KR.exe
2928	M7SkDQIpuSpt4KR.exe
2744	NETSTAT.EXE
2744	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	M7SkDQIpuSpt4KR.exe
Token: SeDebugPrivilege	2744	NETSTAT.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2928	3004	M7SkDQIpuSpt4KR.exe	29
PID 3004 wrote to memory of 2928	3004	M7SkDQIpuSpt4KR.exe	29
PID 3004 wrote to memory of 2928	3004	M7SkDQIpuSpt4KR.exe	29
PID 3004 wrote to memory of 2928	3004	M7SkDQIpuSpt4KR.exe	29
PID 3004 wrote to memory of 2928	3004	M7SkDQIpuSpt4KR.exe	29
PID 3004 wrote to memory of 2928	3004	M7SkDQIpuSpt4KR.exe	29
PID 3004 wrote to memory of 2928	3004	M7SkDQIpuSpt4KR.exe	29
PID 1188 wrote to memory of 2744	1188	Explorer.EXE	33
PID 1188 wrote to memory of 2744	1188	Explorer.EXE	33
PID 1188 wrote to memory of 2744	1188	Explorer.EXE	33
PID 1188 wrote to memory of 2744	1188	Explorer.EXE	33
PID 2744 wrote to memory of 2608	2744	NETSTAT.EXE	34
PID 2744 wrote to memory of 2608	2744	NETSTAT.EXE	34
PID 2744 wrote to memory of 2608	2744	NETSTAT.EXE	34
PID 2744 wrote to memory of 2608	2744	NETSTAT.EXE	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\M7SkDQIpuSpt4KR.exe
  "C:\Users\Admin\AppData\Local\Temp\M7SkDQIpuSpt4KR.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\M7SkDQIpuSpt4KR.exe
    "C:\Users\Admin\AppData\Local\Temp\M7SkDQIpuSpt4KR.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2968
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2724
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2720
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\M7SkDQIpuSpt4KR.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1188-19-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/1188-23-0x0000000004DB0000-0x0000000004EEE000-memory.dmp

Filesize
1.2MB

Download
memory/1188-20-0x0000000004DB0000-0x0000000004EEE000-memory.dmp

Filesize
1.2MB

Download
memory/2744-24-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2744-22-0x0000000000690000-0x0000000000699000-memory.dmp

Filesize
36KB

Download
memory/2744-21-0x0000000000690000-0x0000000000699000-memory.dmp

Filesize
36KB

Download
memory/2928-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-18-0x0000000000190000-0x00000000001A1000-memory.dmp

Filesize
68KB

Download
memory/2928-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2928-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-15-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download
memory/3004-0-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download
memory/3004-14-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-6-0x0000000005470000-0x00000000054F2000-memory.dmp

Filesize
520KB

Download
memory/3004-5-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-4-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download
memory/3004-3-0x00000000004F0000-0x00000000004FE000-memory.dmp

Filesize
56KB

Download
memory/3004-2-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-1-0x0000000000F40000-0x0000000000FF2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing