xloader | 2420028d36da51aa0dae20755b04a555fd1fb943900b92694dd07b98a240fcf8

General

Target

2420028d36da51aa0dae20755b04a555fd1fb943900b92694dd07b98a240fcf8.exe
Size

330KB
MD5

1aed40a6d6905d5925b73ed69e2abe5c
SHA1

9db9a82acad118dc6982aebbeafad0da4275761c
SHA256

2420028d36da51aa0dae20755b04a555fd1fb943900b92694dd07b98a240fcf8
SHA512

d081ffea933add3fc01fa413503a28c4b7ecbcabff7adecaa7be2b827de87b116e9b7c5d30c402a2a70a3bdd42590c604ff8c179f2135df71c461aad2618c65e
SSDEEP

6144:rGiWFJ+xCSNOoUApGXSgXra44WmkXOf21pNvdwSnNZ6hER+LtZwNANh:mc1peSyJTmOOydwSnNghEUN

Score

10^/10

xloader p2a5 discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

p2a5

Decoy

gorillaslovebananas.com

zonaextasis.com

digitalpravin.online

memorialdoors.com

departmenteindhoven.com

vipulb.com

ruyibao365.com

ynpzz.com

matthewandjessica.com

winfrey2024.com

janetride.com

arairazur.xyz

alltheheads.com

amayawebdesigns.com

califunder.com

blacksource.xyz

farmasi.agency

ilmkibahar.com

thinkcentury.net

eskortclub.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2404-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2404-16-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2552-21-0x00000000000C0000-0x00000000000E9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

pid	Process
2840	sktwcrbcw.exe
2404	sktwcrbcw.exe

Loads dropped DLL 2 IoCs

pid	Process
2756	2420028d36da51aa0dae20755b04a555fd1fb943900b92694dd07b98a240fcf8.exe
2840	sktwcrbcw.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2840 set thread context of 2404	2840	sktwcrbcw.exe	31
PID 2404 set thread context of 1200	2404	sktwcrbcw.exe	21
PID 2552 set thread context of 1200	2552	wlanext.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2420028d36da51aa0dae20755b04a555fd1fb943900b92694dd07b98a240fcf8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sktwcrbcw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlanext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2404	sktwcrbcw.exe
2404	sktwcrbcw.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe
2552	wlanext.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2404	sktwcrbcw.exe
2404	sktwcrbcw.exe
2404	sktwcrbcw.exe
2552	wlanext.exe
2552	wlanext.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	sktwcrbcw.exe
Token: SeDebugPrivilege	2552	wlanext.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2840	2756	2420028d36da51aa0dae20755b04a555fd1fb943900b92694dd07b98a240fcf8.exe	30
PID 2756 wrote to memory of 2840	2756	2420028d36da51aa0dae20755b04a555fd1fb943900b92694dd07b98a240fcf8.exe	30
PID 2756 wrote to memory of 2840	2756	2420028d36da51aa0dae20755b04a555fd1fb943900b92694dd07b98a240fcf8.exe	30
PID 2756 wrote to memory of 2840	2756	2420028d36da51aa0dae20755b04a555fd1fb943900b92694dd07b98a240fcf8.exe	30
PID 2840 wrote to memory of 2404	2840	sktwcrbcw.exe	31
PID 2840 wrote to memory of 2404	2840	sktwcrbcw.exe	31
PID 2840 wrote to memory of 2404	2840	sktwcrbcw.exe	31
PID 2840 wrote to memory of 2404	2840	sktwcrbcw.exe	31
PID 2840 wrote to memory of 2404	2840	sktwcrbcw.exe	31
PID 2840 wrote to memory of 2404	2840	sktwcrbcw.exe	31
PID 2840 wrote to memory of 2404	2840	sktwcrbcw.exe	31
PID 1200 wrote to memory of 2552	1200	Explorer.EXE	32
PID 1200 wrote to memory of 2552	1200	Explorer.EXE	32
PID 1200 wrote to memory of 2552	1200	Explorer.EXE	32
PID 1200 wrote to memory of 2552	1200	Explorer.EXE	32
PID 2552 wrote to memory of 2528	2552	wlanext.exe	33
PID 2552 wrote to memory of 2528	2552	wlanext.exe	33
PID 2552 wrote to memory of 2528	2552	wlanext.exe	33
PID 2552 wrote to memory of 2528	2552	wlanext.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\2420028d36da51aa0dae20755b04a555fd1fb943900b92694dd07b98a240fcf8.exe
  "C:\Users\Admin\AppData\Local\Temp\2420028d36da51aa0dae20755b04a555fd1fb943900b92694dd07b98a240fcf8.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\sktwcrbcw.exe
    C:\Users\Admin\AppData\Local\Temp\sktwcrbcw.exe C:\Users\Admin\AppData\Local\Temp\myzocc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\sktwcrbcw.exe
      C:\Users\Admin\AppData\Local\Temp\sktwcrbcw.exe C:\Users\Admin\AppData\Local\Temp\myzocc
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2404
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\sktwcrbcw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e9b93caba3chp

Filesize
210KB

MD5
6959c53711979583b19819771642483b

SHA1
eb9f8170afc344b9f50ea15ca7a69e5f283d1528

SHA256
0bd18b88232a68106339f089b902c0b842c2a02a30623f57bcf5f67eef83431e

SHA512
501a6672bcb7fb115d44ef57ec2e9ad087002e82150cbb32afd30638b033569c1beb41f63b755d9f49d8b5249a71f5201980b433a6f50d4f896ed394f1b7e4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\myzocc

Filesize
4KB

MD5
f0336e492b8ef2246e6312e55acccb00

SHA1
2aee4e08aa5f063a6a193e381a53332bb664627d

SHA256
6c3750621221fb01c27d222775414bf653a2e4c7825b20c0ce3581a73ba43387

SHA512
0e9e3194134a15ab8eafb3fd5f46167ed40e7fdb7c1c94f37de4f23acbb394f42c2229c2f16972c7e02a934bf5dc8e825379c815c51b2b8d40cc9485a2d29dae

Download Submit
\Users\Admin\AppData\Local\Temp\sktwcrbcw.exe

Filesize
168KB

MD5
e0e19fe43a0197178e47411ecac579d9

SHA1
df75c86efc582b3ae29dc024f1daf6355a039ccb

SHA256
9c9a983c1bf4fa89f56449f43b4cee03f21c707e517da90ee010d43ccb451388

SHA512
ce1792cfa792130031e46888bed40ff70c3c1d5713d99daae220c598d8705adf7367638615081db9f9b50e41981514a36eb5a554e5373ff6adc12c73869f8800

Download Submit
memory/1200-22-0x00000000051F0000-0x00000000052CE000-memory.dmp

Filesize
888KB

Download
memory/1200-18-0x00000000051F0000-0x00000000052CE000-memory.dmp

Filesize
888KB

Download
memory/2404-17-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2404-14-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/2404-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2404-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2552-20-0x0000000000680000-0x0000000000696000-memory.dmp

Filesize
88KB

Download
memory/2552-19-0x0000000000680000-0x0000000000696000-memory.dmp

Filesize
88KB

Download
memory/2552-21-0x00000000000C0000-0x00000000000E9000-memory.dmp

Filesize
164KB

Download
memory/2840-9-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing