xloader | dfe575e0e504a2d2ea98530ac665d5bed5e0dc901a20b513289f1bb40e00065b

General

Target

f6f0605ad0d43fbc77adc372198d2fd9768b93fe51f3fa050843fc4293050e84.exe
Size

449KB
MD5

0d8bfc7c89bf7e0a94ed8cf9b7b46929
SHA1

d0a103769bcbabbbaa6f5c15dfb28f36a3575aaa
SHA256

f6f0605ad0d43fbc77adc372198d2fd9768b93fe51f3fa050843fc4293050e84
SHA512

18813ba2ffdc9517c7cd2a918c5b51d7ed5b60b0f1b65c5e5c524bc98d82b7dfd2b6bf1e74dd30e11ef8fdbce583fb812eeb39b88d92c648d097102e71a00dd3
SSDEEP

12288:qacFoWoWoWWoWyFip5EJWp819uSUUrFeABn0uMSRf:qjoWoWoWWoWyFBJG819UUrMAdjbf

Score

10^/10

xloader w6ot discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

w6ot

Decoy

zerodawnprime.com

chunhejingming.com

estrellafiamma.biz

meetbotique.com

westernghatsstudyabroad.com

madysenlenihancoaching.com

c2batlrjm05uzzjnamm8627.com

sasamamai.com

softcherry.club

iputtbetter.store

sointuboete.quest

mahadevwardrobe.online

goedkope-ladegeleiders.online

g3taquotea.info

987vna.club

justdodge.net

b95202.com

dwabiegunyfotografii.com

entrustqlxorx.online

busineschatcom.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1644-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1644-16-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/280-24-0x0000000000090000-0x00000000000B9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

pid	Process
2572	yqhhtdxak.exe
1644	yqhhtdxak.exe

Loads dropped DLL 2 IoCs

pid	Process
3068	f6f0605ad0d43fbc77adc372198d2fd9768b93fe51f3fa050843fc4293050e84.exe
2572	yqhhtdxak.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2572 set thread context of 1644	2572	yqhhtdxak.exe	32
PID 1644 set thread context of 1188	1644	yqhhtdxak.exe	21
PID 280 set thread context of 1188	280	rundll32.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6f0605ad0d43fbc77adc372198d2fd9768b93fe51f3fa050843fc4293050e84.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yqhhtdxak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1644	yqhhtdxak.exe
1644	yqhhtdxak.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe
280	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1644	yqhhtdxak.exe
1644	yqhhtdxak.exe
1644	yqhhtdxak.exe
280	rundll32.exe
280	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	yqhhtdxak.exe
Token: SeDebugPrivilege	280	rundll32.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2572	3068	f6f0605ad0d43fbc77adc372198d2fd9768b93fe51f3fa050843fc4293050e84.exe	30
PID 3068 wrote to memory of 2572	3068	f6f0605ad0d43fbc77adc372198d2fd9768b93fe51f3fa050843fc4293050e84.exe	30
PID 3068 wrote to memory of 2572	3068	f6f0605ad0d43fbc77adc372198d2fd9768b93fe51f3fa050843fc4293050e84.exe	30
PID 3068 wrote to memory of 2572	3068	f6f0605ad0d43fbc77adc372198d2fd9768b93fe51f3fa050843fc4293050e84.exe	30
PID 2572 wrote to memory of 1644	2572	yqhhtdxak.exe	32
PID 2572 wrote to memory of 1644	2572	yqhhtdxak.exe	32
PID 2572 wrote to memory of 1644	2572	yqhhtdxak.exe	32
PID 2572 wrote to memory of 1644	2572	yqhhtdxak.exe	32
PID 2572 wrote to memory of 1644	2572	yqhhtdxak.exe	32
PID 2572 wrote to memory of 1644	2572	yqhhtdxak.exe	32
PID 2572 wrote to memory of 1644	2572	yqhhtdxak.exe	32
PID 1188 wrote to memory of 280	1188	Explorer.EXE	33
PID 1188 wrote to memory of 280	1188	Explorer.EXE	33
PID 1188 wrote to memory of 280	1188	Explorer.EXE	33
PID 1188 wrote to memory of 280	1188	Explorer.EXE	33
PID 1188 wrote to memory of 280	1188	Explorer.EXE	33
PID 1188 wrote to memory of 280	1188	Explorer.EXE	33
PID 1188 wrote to memory of 280	1188	Explorer.EXE	33
PID 280 wrote to memory of 2844	280	rundll32.exe	34
PID 280 wrote to memory of 2844	280	rundll32.exe	34
PID 280 wrote to memory of 2844	280	rundll32.exe	34
PID 280 wrote to memory of 2844	280	rundll32.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\f6f0605ad0d43fbc77adc372198d2fd9768b93fe51f3fa050843fc4293050e84.exe
  "C:\Users\Admin\AppData\Local\Temp\f6f0605ad0d43fbc77adc372198d2fd9768b93fe51f3fa050843fc4293050e84.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\yqhhtdxak.exe
    C:\Users\Admin\AppData\Local\Temp\yqhhtdxak.exe C:\Users\Admin\AppData\Local\Temp\wkzmii
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\yqhhtdxak.exe
      C:\Users\Admin\AppData\Local\Temp\yqhhtdxak.exe C:\Users\Admin\AppData\Local\Temp\wkzmii
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1644
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:280
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\yqhhtdxak.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\idw4wrb6hs3flmqfavtc

Filesize
212KB

MD5
f6fd6fc42bb906db74867fe2f80ecc88

SHA1
0d592e5b25a8563dc21ed4ff778f7d7e0febfdaf

SHA256
c1aa659685fc89fe82969cb7a8b794e6bfdd226c27d3d3f4ec9c7318b9c7160a

SHA512
a2b85d3b402b7a64e2fe44a9d06b1d3b6625c924b16c3e6caede1e003cd810c5a9484ef730c7173659ef8d9ee5c8eb14fda4b5c27a72c9efc33e6506a9dcac5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkzmii

Filesize
4KB

MD5
2a0cd291c155c01ea8fec4fa4b8186c4

SHA1
e5980828495c0ca0f298263bca1874f4b83ed9e9

SHA256
d4763517a4eca32f7988f49f550976f77b595160055cb55fdcac684197e4c240

SHA512
325e5a6b882ca419c25964f87a018d18a9cb19de3a6ecb27d79c2d7d1436692f580153b70c75f4e3c945a987d6d5bf6e65381509674b6d2cf64e959e127e0f5a

Download Submit
\Users\Admin\AppData\Local\Temp\yqhhtdxak.exe

Filesize
118KB

MD5
1eb006bcb7e588f1e2be72989da84baa

SHA1
6c5231c0d131eb50d78107843369ccd291a8f4fb

SHA256
c631eb2b09767dd4416cd03992adb1c9ad2e1d4804fad9bf88123859bb30b6c7

SHA512
d3c643d4b70d133a4c6317795249f37f1ef2ad9614823d0f9fc7a41ccb3bb9a12d9f444f8191c31e496c7b3300d000ce3c778aafb0abb5b4514f30909b0a1034

Download Submit
memory/280-23-0x0000000000650000-0x000000000065E000-memory.dmp

Filesize
56KB

Download
memory/280-21-0x0000000000650000-0x000000000065E000-memory.dmp

Filesize
56KB

Download
memory/280-20-0x0000000000650000-0x000000000065E000-memory.dmp

Filesize
56KB

Download
memory/280-24-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/1188-17-0x0000000005210000-0x0000000005390000-memory.dmp

Filesize
1.5MB

Download
memory/1188-25-0x0000000005210000-0x0000000005390000-memory.dmp

Filesize
1.5MB

Download
memory/1188-30-0x0000000006860000-0x00000000069C5000-memory.dmp

Filesize
1.4MB

Download
memory/1188-31-0x0000000006860000-0x00000000069C5000-memory.dmp

Filesize
1.4MB

Download
memory/1188-33-0x0000000006860000-0x00000000069C5000-memory.dmp

Filesize
1.4MB

Download
memory/1644-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1644-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2572-9-0x0000000000290000-0x0000000000292000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing