xloader | 9970eba38e5e7952be87aa4b2e3c8469eee16dfad3e788f88c6b9b07bf49b24a

General

Target

f42692e58c63c0e14de4ce2bb31a92cb1bc5dbb11d0989f1619778fd4b7e2c5a.exe
Size

367KB
MD5

2818c9adb483309e0d5b2515b41a1507
SHA1

6f30bfff6c27aef73be247dfd2333b6845876afc
SHA256

f42692e58c63c0e14de4ce2bb31a92cb1bc5dbb11d0989f1619778fd4b7e2c5a
SHA512

b8b212bf7f7d0f28608681a3a65ec696f1f302aefc8fb1e37ff53df07e6b3a7a3a7f5650ddd0b897f7681a892129feebebc968deddb279c1808a7154d1128b19
SSDEEP

6144:TGiSUQepf9SGF0VBfXxG6xbXKJArYr0hOZg2guur3Hw03:mUd132BvIObXKeYohGLI3R3

Score

10^/10

xloader op53 discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

op53

Decoy

salamdiab.com

pysznepay.com

braktonem.quest

z5jgazn.xyz

jungleking.online

for2play.com

organizedkay.com

bitsgifts.com

autobras.online

paghosting.net

waltersswholesale.com

seculardata.com

hsa-attorneys.com

genyuandl.com

metalcorpperu.com

jasbellyfusion.com

weddingtowifepodcast.com

69xibao.xyz

dsp-energe.com

jantfencingandsheds.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1292-15-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1292-19-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2252-24-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

pid	Process
2416	tppxqd.exe
1292	tppxqd.exe

Loads dropped DLL 3 IoCs

pid	Process
2320	f42692e58c63c0e14de4ce2bb31a92cb1bc5dbb11d0989f1619778fd4b7e2c5a.exe
2320	f42692e58c63c0e14de4ce2bb31a92cb1bc5dbb11d0989f1619778fd4b7e2c5a.exe
2416	tppxqd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 1292	2416	tppxqd.exe	29
PID 1292 set thread context of 1216	1292	tppxqd.exe	21
PID 2252 set thread context of 1216	2252	chkdsk.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f42692e58c63c0e14de4ce2bb31a92cb1bc5dbb11d0989f1619778fd4b7e2c5a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tppxqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chkdsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1292	tppxqd.exe
1292	tppxqd.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe
2252	chkdsk.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1292	tppxqd.exe
1292	tppxqd.exe
1292	tppxqd.exe
2252	chkdsk.exe
2252	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	tppxqd.exe
Token: SeDebugPrivilege	2252	chkdsk.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2416	2320	f42692e58c63c0e14de4ce2bb31a92cb1bc5dbb11d0989f1619778fd4b7e2c5a.exe	28
PID 2320 wrote to memory of 2416	2320	f42692e58c63c0e14de4ce2bb31a92cb1bc5dbb11d0989f1619778fd4b7e2c5a.exe	28
PID 2320 wrote to memory of 2416	2320	f42692e58c63c0e14de4ce2bb31a92cb1bc5dbb11d0989f1619778fd4b7e2c5a.exe	28
PID 2320 wrote to memory of 2416	2320	f42692e58c63c0e14de4ce2bb31a92cb1bc5dbb11d0989f1619778fd4b7e2c5a.exe	28
PID 2416 wrote to memory of 1292	2416	tppxqd.exe	29
PID 2416 wrote to memory of 1292	2416	tppxqd.exe	29
PID 2416 wrote to memory of 1292	2416	tppxqd.exe	29
PID 2416 wrote to memory of 1292	2416	tppxqd.exe	29
PID 2416 wrote to memory of 1292	2416	tppxqd.exe	29
PID 2416 wrote to memory of 1292	2416	tppxqd.exe	29
PID 2416 wrote to memory of 1292	2416	tppxqd.exe	29
PID 1216 wrote to memory of 2252	1216	Explorer.EXE	30
PID 1216 wrote to memory of 2252	1216	Explorer.EXE	30
PID 1216 wrote to memory of 2252	1216	Explorer.EXE	30
PID 1216 wrote to memory of 2252	1216	Explorer.EXE	30
PID 2252 wrote to memory of 2636	2252	chkdsk.exe	31
PID 2252 wrote to memory of 2636	2252	chkdsk.exe	31
PID 2252 wrote to memory of 2636	2252	chkdsk.exe	31
PID 2252 wrote to memory of 2636	2252	chkdsk.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\f42692e58c63c0e14de4ce2bb31a92cb1bc5dbb11d0989f1619778fd4b7e2c5a.exe
  "C:\Users\Admin\AppData\Local\Temp\f42692e58c63c0e14de4ce2bb31a92cb1bc5dbb11d0989f1619778fd4b7e2c5a.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\tppxqd.exe
    C:\Users\Admin\AppData\Local\Temp\tppxqd.exe C:\Users\Admin\AppData\Local\Temp\javajcgag
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\tppxqd.exe
      C:\Users\Admin\AppData\Local\Temp\tppxqd.exe C:\Users\Admin\AppData\Local\Temp\javajcgag
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1292
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\tppxqd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cq00wa9nwzhggd6xh

Filesize
210KB

MD5
7afc9c0913886b271a94e2fd65948e89

SHA1
f7d03107689ab4bf5b2bc498a27c833786e61296

SHA256
70b0b30720dea145d86b5a65c9aeb7d91d385e70697cb38dcb851f83cf36e1d6

SHA512
0623d890c3da06b22ba543d9af57da647eddfc74849a5db32b9e807fa9112554cf977ba1b342d00897c61eb641aa679d0294de529f41ba2cefed45c8fb9cba9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\javajcgag

Filesize
5KB

MD5
2cfb45713bf39a8b12312afeb8eeb863

SHA1
cdba2316f0374f2d6724e96ea4b4a6e4cc6782bc

SHA256
2420bb9b1c506c66cbcee9c739d39f9c0723aec89ac4dcee10d48bd8b17d7f92

SHA512
4394ac8470148989df4540f84fb74f6d3dc3df77ca3e2e7d100d90330bb09a52d288a1d96b81d79c3e7a692949fbdea2f036db244c471582ed9dad4aa471d63a

Download Submit
\Users\Admin\AppData\Local\Temp\tppxqd.exe

Filesize
114KB

MD5
3a4bc4e7fa9caf7ebc996222816d9ec2

SHA1
15e37286a7982a35092559743e7a2aadb2300a64

SHA256
56cd59981b0b8cf25d7d51c96b1cba9e300bc002a01030a08eb58ea30c015ef7

SHA512
26c6481987b859922c504fdc353cc1819943d9fbecea38cb01b0c708566788aca4fa5ff56c3e8f7a12be9be10dbbaca517f7423c00eb79d494cc83996a67b448

Download Submit
memory/1216-25-0x0000000004ED0000-0x0000000004FFD000-memory.dmp

Filesize
1.2MB

Download
memory/1216-21-0x0000000004ED0000-0x0000000004FFD000-memory.dmp

Filesize
1.2MB

Download
memory/1292-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1292-17-0x0000000000A10000-0x0000000000D13000-memory.dmp

Filesize
3.0MB

Download
memory/1292-20-0x00000000001C0000-0x00000000001D1000-memory.dmp

Filesize
68KB

Download
memory/1292-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2252-22-0x0000000000860000-0x0000000000867000-memory.dmp

Filesize
28KB

Download
memory/2252-23-0x0000000000860000-0x0000000000867000-memory.dmp

Filesize
28KB

Download
memory/2252-24-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2416-12-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing