xloader | 76c26d7e1b8e4ae914d3a870d540727bb5ea195777e0d77ee3d83340cfba8082

General

Target

M7SkDQIpuSpt4KR.exe
Size

690KB
MD5

2667b7eff8a62d63f951fcb39018a0d3
SHA1

76565ed25b4032ae6624ae665651dbc0b87cb591
SHA256

1fb328a56a2d1a4a30e135a597bf06565d1158e93983622ed6f35af046e66d09
SHA512

6789fbb7873fb28d87ec8fe3c6247cd6d8992b1cfde94f828b08f76c60f19de8cd1f0402822ce2e00568d03013ce985bdbf46cee4a3c22f1b2913bc581592a12
SSDEEP

12288:JBzcmhiTtohcWTShZupbhIRebp1SJJoGF+AHO8JY3D/ixBFmRq:JBomhiZJW4MvIR+1+CXd8Jsi1Wq

Score

10^/10

xloader e6wb discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

e6wb

Decoy

assetto.tech

surendramishra.com

bravohealthyskin.com

ipadzones.com

odmitatrends.quest

yfly633.xyz

firstwavegallery.com

moviedmine.com

hdcenergy.com

elbarcotechnology.com

sns-regionv.com

helmiaj.com

asgmedicalservice.store

siraestilistas.com

vbux.xyz

learnstarting.com

oceanmap.store

fullyloadedfiresticks.com

bingojx.com

airelibrerevista.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1912-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1912-17-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3412-25-0x0000000000A20000-0x0000000000A49000-memory.dmp	xloader
behavioral2/memory/3412-27-0x0000000000A20000-0x0000000000A49000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1348 set thread context of 1912	1348	M7SkDQIpuSpt4KR.exe	98
PID 1912 set thread context of 3444	1912	M7SkDQIpuSpt4KR.exe	56
PID 3412 set thread context of 3444	3412	msiexec.exe	56

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M7SkDQIpuSpt4KR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1912	M7SkDQIpuSpt4KR.exe
1912	M7SkDQIpuSpt4KR.exe
1912	M7SkDQIpuSpt4KR.exe
1912	M7SkDQIpuSpt4KR.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe
3412	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1912	M7SkDQIpuSpt4KR.exe
1912	M7SkDQIpuSpt4KR.exe
1912	M7SkDQIpuSpt4KR.exe
3412	msiexec.exe
3412	msiexec.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	M7SkDQIpuSpt4KR.exe
Token: SeDebugPrivilege	3412	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1912	1348	M7SkDQIpuSpt4KR.exe	98
PID 1348 wrote to memory of 1912	1348	M7SkDQIpuSpt4KR.exe	98
PID 1348 wrote to memory of 1912	1348	M7SkDQIpuSpt4KR.exe	98
PID 1348 wrote to memory of 1912	1348	M7SkDQIpuSpt4KR.exe	98
PID 1348 wrote to memory of 1912	1348	M7SkDQIpuSpt4KR.exe	98
PID 1348 wrote to memory of 1912	1348	M7SkDQIpuSpt4KR.exe	98
PID 3444 wrote to memory of 3412	3444	Explorer.EXE	99
PID 3444 wrote to memory of 3412	3444	Explorer.EXE	99
PID 3444 wrote to memory of 3412	3444	Explorer.EXE	99
PID 3412 wrote to memory of 3592	3412	msiexec.exe	100
PID 3412 wrote to memory of 3592	3412	msiexec.exe	100
PID 3412 wrote to memory of 3592	3412	msiexec.exe	100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Users\Admin\AppData\Local\Temp\M7SkDQIpuSpt4KR.exe
  "C:\Users\Admin\AppData\Local\Temp\M7SkDQIpuSpt4KR.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Users\Admin\AppData\Local\Temp\M7SkDQIpuSpt4KR.exe
    "C:\Users\Admin\AppData\Local\Temp\M7SkDQIpuSpt4KR.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\M7SkDQIpuSpt4KR.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1348-14-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/1348-1-0x0000000000BF0000-0x0000000000CA2000-memory.dmp

Filesize
712KB

Download
memory/1348-2-0x0000000005C00000-0x00000000061A4000-memory.dmp

Filesize
5.6MB

Download
memory/1348-3-0x00000000056F0000-0x0000000005782000-memory.dmp

Filesize
584KB

Download
memory/1348-5-0x00000000056C0000-0x00000000056CA000-memory.dmp

Filesize
40KB

Download
memory/1348-4-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/1348-6-0x0000000005940000-0x000000000594E000-memory.dmp

Filesize
56KB

Download
memory/1348-7-0x00000000061B0000-0x00000000061FC000-memory.dmp

Filesize
304KB

Download
memory/1348-8-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/1348-9-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/1348-10-0x0000000006520000-0x00000000065BC000-memory.dmp

Filesize
624KB

Download
memory/1348-11-0x00000000067B0000-0x0000000006832000-memory.dmp

Filesize
520KB

Download
memory/1348-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/1912-15-0x00000000011A0000-0x00000000014EA000-memory.dmp

Filesize
3.3MB

Download
memory/1912-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1912-18-0x0000000001180000-0x0000000001191000-memory.dmp

Filesize
68KB

Download
memory/1912-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3412-27-0x0000000000A20000-0x0000000000A49000-memory.dmp

Filesize
164KB

Download
memory/3412-20-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/3412-22-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/3412-24-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/3412-25-0x0000000000A20000-0x0000000000A49000-memory.dmp

Filesize
164KB

Download
memory/3412-26-0x00000000028E0000-0x0000000002C2A000-memory.dmp

Filesize
3.3MB

Download
memory/3412-29-0x0000000002800000-0x0000000002890000-memory.dmp

Filesize
576KB

Download
memory/3444-19-0x0000000002350000-0x000000000241B000-memory.dmp

Filesize
812KB

Download
memory/3444-28-0x0000000002350000-0x000000000241B000-memory.dmp

Filesize
812KB

Download
memory/3444-33-0x0000000007EB0000-0x0000000007FF5000-memory.dmp

Filesize
1.3MB

Download
memory/3444-34-0x0000000007EB0000-0x0000000007FF5000-memory.dmp

Filesize
1.3MB

Download
memory/3444-36-0x0000000007EB0000-0x0000000007FF5000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing