xloader | 13af3ad92eb86c2c95c816ac526b97c78e0aaed46535c61bf363d768bb2cb0c9

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19979.exe
Size

630KB
MD5

1c41d0198adc92df0a83e60c27c76c78
SHA1

689aa46c42c440b86e7a11a18bca0c4c6afd9c0e
SHA256

6ff40b2ed84520e3135881c7a31a49f2a0952e1ed7a9739527b1619bcb6ec8f8
SHA512

f2e562a2d7f916587f5ac71efe34ad431ae45632080d7e9f3cd3108f7b5afd23fb473b3bda3577eaa4b0570c4a8969c124398da0997a6a04597c3396137924c5
SSDEEP

12288:xnZHHEPo3PUuUSc6AdkuqV3wuEW2ypRxRWj:xZnEPonoawe2yVRS

Score

10^/10

xloader nd04 discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nd04

Decoy

picsedits.com

ceinpsico.com

151motors.com

rollingstrollers.com

yonghengwenhua.store

thesortinghouse3j.com

piboise.com

xgdfjm.com

icloud-verify.com

exeterloftrefurbishments.com

kascae.biz

mujeresimparablesterramar.com

samsungcorporate.com

journee2sobriety.com

quanqiu00000.com

gigharborapartment.com

spacdesignerhomes.online

alcantaraleiloes.com

gibbsrecordingco.com

aftermarketbiz.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2524-14-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2524-18-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2900-24-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2572 cmd.exe

pid	process
2572	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

19979.exe19979.execolorcpl.exe

description	pid	process	target process
PID 2060 set thread context of 2524	2060	19979.exe	19979.exe
PID 2524 set thread context of 1208	2524	19979.exe	Explorer.EXE
PID 2900 set thread context of 1208	2900	colorcpl.exe	Explorer.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

19979.execolorcpl.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19979.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	colorcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

19979.execolorcpl.exe

pid	process
2524	19979.exe
2524	19979.exe
2900	colorcpl.exe
2900	colorcpl.exe
2900	colorcpl.exe
2900	colorcpl.exe
2900	colorcpl.exe
2900	colorcpl.exe
2900	colorcpl.exe
2900	colorcpl.exe
2900	colorcpl.exe
2900	colorcpl.exe
2900	colorcpl.exe
2900	colorcpl.exe
2900	colorcpl.exe
2900	colorcpl.exe
2900	colorcpl.exe
2900	colorcpl.exe
2900	colorcpl.exe
2900	colorcpl.exe
2900	colorcpl.exe
2900	colorcpl.exe
2900	colorcpl.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

19979.execolorcpl.exe

pid process

2524 19979.exe
2524 19979.exe
2524 19979.exe
2900 colorcpl.exe
2900 colorcpl.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

19979.execolorcpl.exe

description pid process

Token: SeDebugPrivilege 2524 19979.exe
Token: SeDebugPrivilege 2900 colorcpl.exe

description	pid	process
Token: SeDebugPrivilege	2524	19979.exe
Token: SeDebugPrivilege	2900	colorcpl.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

19979.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 2060 wrote to memory of 2524	2060	19979.exe	19979.exe
PID 2060 wrote to memory of 2524	2060	19979.exe	19979.exe
PID 2060 wrote to memory of 2524	2060	19979.exe	19979.exe
PID 2060 wrote to memory of 2524	2060	19979.exe	19979.exe
PID 2060 wrote to memory of 2524	2060	19979.exe	19979.exe
PID 2060 wrote to memory of 2524	2060	19979.exe	19979.exe
PID 2060 wrote to memory of 2524	2060	19979.exe	19979.exe
PID 1208 wrote to memory of 2900	1208	Explorer.EXE	colorcpl.exe
PID 1208 wrote to memory of 2900	1208	Explorer.EXE	colorcpl.exe
PID 1208 wrote to memory of 2900	1208	Explorer.EXE	colorcpl.exe
PID 1208 wrote to memory of 2900	1208	Explorer.EXE	colorcpl.exe
PID 2900 wrote to memory of 2572	2900	colorcpl.exe	cmd.exe
PID 2900 wrote to memory of 2572	2900	colorcpl.exe	cmd.exe
PID 2900 wrote to memory of 2572	2900	colorcpl.exe	cmd.exe
PID 2900 wrote to memory of 2572	2900	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\19979.exe
  "C:\Users\Admin\AppData\Local\Temp\19979.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Local\Temp\19979.exe
    "C:\Users\Admin\AppData\Local\Temp\19979.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2524
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\19979.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1208-25-0x0000000005090000-0x000000000515B000-memory.dmp

Filesize
812KB

Download
memory/1208-21-0x0000000005090000-0x000000000515B000-memory.dmp

Filesize
812KB

Download
memory/2060-15-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/2060-1-0x0000000000CF0000-0x0000000000D94000-memory.dmp

Filesize
656KB

Download
memory/2060-2-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/2060-3-0x0000000000780000-0x000000000078A000-memory.dmp

Filesize
40KB

Download
memory/2060-4-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

Filesize
4KB

Download
memory/2060-5-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/2060-6-0x0000000004CB0000-0x0000000004D22000-memory.dmp

Filesize
456KB

Download
memory/2060-7-0x0000000004840000-0x0000000004870000-memory.dmp

Filesize
192KB

Download
memory/2060-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

Filesize
4KB

Download
memory/2524-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2524-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2524-16-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/2524-19-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/2524-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2524-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2524-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2900-22-0x0000000000650000-0x0000000000668000-memory.dmp

Filesize
96KB

Download
memory/2900-23-0x0000000000650000-0x0000000000668000-memory.dmp

Filesize
96KB

Download
memory/2900-24-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download