xloader | 592e11609907e053f556ffcfc9a875ec74a8715c891689d318015ec32afc9815

General

Target

PAYMENT-PO6331-105.exe
Size

853KB
MD5

b639a37ca3c7bc94ae81fc2cc4b7da44
SHA1

c13c81065409f452a424ca3620906ccda0192910
SHA256

87616feaef4b9ca318abb0c4da6f7c7b1bd625706e6217a1b2a22f9cb618ea1a
SHA512

fe70bf637a93a50a745d5cc18cbc4018ac7789135ec84baffdaac63a3354d76b461a4731ff35c177463d5d47e62dbe5e31b415cfc93a8937f78335c191ffe3ab
SSDEEP

12288:5ANXMzYSSwTLMJX20dk/FRGaBp4hu6G3RNv8eF43RR9VCZ6vHRjN:zfSwTLMJX2jqQOp6RNUeF4DxjN

Score

10^/10

xloader o84d discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

o84d

Decoy

thetrendsharks.com

chaufagiste.com

lskuro.com

wasteconnectionsmyworkday.com

loveontrack28.com

tusder.com

now-focus.com

southerndrawfi.com

brattylipz.com

computip.com

thecreatingcouple.com

fuhrerscheinstelle.com

stally.club

leniure.com

cgoutsourcingservices.com

2055outpost.com

oujerseys.com

petsitandstrut.com

nerddotget.com

standvisuales.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2532-5-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2532-10-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2532-14-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1500-22-0x00000000003C0000-0x00000000003E9000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4788 set thread context of 2532	4788	PAYMENT-PO6331-105.exe	91
PID 2532 set thread context of 3432	2532	PAYMENT-PO6331-105.exe	56
PID 2532 set thread context of 3432	2532	PAYMENT-PO6331-105.exe	56
PID 1500 set thread context of 3432	1500	cmd.exe	56

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PAYMENT-PO6331-105.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PAYMENT-PO6331-105.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2532	PAYMENT-PO6331-105.exe
2532	PAYMENT-PO6331-105.exe
2532	PAYMENT-PO6331-105.exe
2532	PAYMENT-PO6331-105.exe
2532	PAYMENT-PO6331-105.exe
2532	PAYMENT-PO6331-105.exe
1500	cmd.exe
1500	cmd.exe
1500	cmd.exe
1500	cmd.exe
1500	cmd.exe
1500	cmd.exe
1500	cmd.exe
1500	cmd.exe
1500	cmd.exe
1500	cmd.exe
1500	cmd.exe
1500	cmd.exe
1500	cmd.exe
1500	cmd.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2532	PAYMENT-PO6331-105.exe
2532	PAYMENT-PO6331-105.exe
2532	PAYMENT-PO6331-105.exe
2532	PAYMENT-PO6331-105.exe
1500	cmd.exe
1500	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	PAYMENT-PO6331-105.exe
Token: SeDebugPrivilege	1500	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 2532	4788	PAYMENT-PO6331-105.exe	91
PID 4788 wrote to memory of 2532	4788	PAYMENT-PO6331-105.exe	91
PID 4788 wrote to memory of 2532	4788	PAYMENT-PO6331-105.exe	91
PID 4788 wrote to memory of 2532	4788	PAYMENT-PO6331-105.exe	91
PID 4788 wrote to memory of 2532	4788	PAYMENT-PO6331-105.exe	91
PID 4788 wrote to memory of 2532	4788	PAYMENT-PO6331-105.exe	91
PID 2532 wrote to memory of 1500	2532	PAYMENT-PO6331-105.exe	101
PID 2532 wrote to memory of 1500	2532	PAYMENT-PO6331-105.exe	101
PID 2532 wrote to memory of 1500	2532	PAYMENT-PO6331-105.exe	101
PID 1500 wrote to memory of 452	1500	cmd.exe	102
PID 1500 wrote to memory of 452	1500	cmd.exe	102
PID 1500 wrote to memory of 452	1500	cmd.exe	102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\PAYMENT-PO6331-105.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT-PO6331-105.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\PAYMENT-PO6331-105.exe
    "C:\Users\Admin\AppData\Local\Temp\PAYMENT-PO6331-105.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Users\Admin\AppData\Local\Temp\PAYMENT-PO6331-105.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:452
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:5108
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1840
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:4104
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:3704
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:752
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:5068
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:4568
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2460
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1500-20-0x0000000000410000-0x000000000046A000-memory.dmp

Filesize
360KB

Download
memory/1500-22-0x00000000003C0000-0x00000000003E9000-memory.dmp

Filesize
164KB

Download
memory/1500-18-0x0000000000410000-0x000000000046A000-memory.dmp

Filesize
360KB

Download
memory/2532-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2532-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2532-15-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/2532-11-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/2532-8-0x0000000001050000-0x000000000139A000-memory.dmp

Filesize
3.3MB

Download
memory/2532-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3432-21-0x0000000002A40000-0x0000000002B36000-memory.dmp

Filesize
984KB

Download
memory/3432-12-0x0000000002980000-0x0000000002A31000-memory.dmp

Filesize
708KB

Download
memory/3432-28-0x0000000007FE0000-0x00000000080EB000-memory.dmp

Filesize
1.0MB

Download
memory/3432-26-0x0000000007FE0000-0x00000000080EB000-memory.dmp

Filesize
1.0MB

Download
memory/3432-16-0x0000000002A40000-0x0000000002B36000-memory.dmp

Filesize
984KB

Download
memory/3432-17-0x0000000002980000-0x0000000002A31000-memory.dmp

Filesize
708KB

Download
memory/3432-25-0x0000000007FE0000-0x00000000080EB000-memory.dmp

Filesize
1.0MB

Download
memory/4788-3-0x0000000074C42000-0x0000000074C43000-memory.dmp

Filesize
4KB

Download
memory/4788-2-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/4788-1-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/4788-7-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/4788-4-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/4788-0-0x0000000074C42000-0x0000000074C43000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing