xloader | 06fe6437d4f617e320d87412411eab1405a2f0e3db836f748e9f2c925925e123

General

Target

3db51e29aef16473b5febc21b1f3a8024c8da7c2b7f5600fbc5324713f5fd7c9.exe
Size

315KB
MD5

fcbace1d61896c77315c37d60ac0e8ba
SHA1

c5a943c52d2479b2acf25b74318cc35fb7463ce3
SHA256

3db51e29aef16473b5febc21b1f3a8024c8da7c2b7f5600fbc5324713f5fd7c9
SHA512

d3817c88a7981b6356d43695d98ac45613d2f5708a31e9cfefe574bbce0d5b607d75b8935b7c712d8b00ff8c24a350e2f1920cdf143d427026c750af14354a9a
SSDEEP

6144:TxDXn5Nll+IMvGQNhauH4Ia79FldQ28EP5tWhMDZ7:NVFiGQ7awaJF428EP5EhAV

Score

10^/10

xloader nazb discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nazb

Decoy

polypixelarmy.com

dppu56.com

prayrowan.com

favoredysxdmg.xyz

swichkickoff.com

suddennnnnnnnnnnn06.xyz

your-own-vpn.com

ban-click.com

digiblogofficial.com

frugaimoms.quest

longoriaamanda.com

moonelegant.com

americanpawnaz.com

riverflowmassage.com

theresnosomedayinbadass.com

sacredsolomon.com

mkperfumy.com

yavastudasuda.net

votewhosright.com

lovetoconnect.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2440-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2440-15-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1372-22-0x00000000000D0000-0x00000000000F9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

pid	Process
2548	zqmpr.exe
2440	zqmpr.exe

Loads dropped DLL 2 IoCs

pid	Process
2104	3db51e29aef16473b5febc21b1f3a8024c8da7c2b7f5600fbc5324713f5fd7c9.exe
2548	zqmpr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2548 set thread context of 2440	2548	zqmpr.exe	30
PID 2440 set thread context of 1364	2440	zqmpr.exe	20
PID 1372 set thread context of 1364	1372	cmstp.exe	20

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3db51e29aef16473b5febc21b1f3a8024c8da7c2b7f5600fbc5324713f5fd7c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zqmpr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2440	zqmpr.exe
2440	zqmpr.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe
1372	cmstp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2440	zqmpr.exe
2440	zqmpr.exe
2440	zqmpr.exe
1372	cmstp.exe
1372	cmstp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	zqmpr.exe
Token: SeDebugPrivilege	1372	cmstp.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2548	2104	3db51e29aef16473b5febc21b1f3a8024c8da7c2b7f5600fbc5324713f5fd7c9.exe	29
PID 2104 wrote to memory of 2548	2104	3db51e29aef16473b5febc21b1f3a8024c8da7c2b7f5600fbc5324713f5fd7c9.exe	29
PID 2104 wrote to memory of 2548	2104	3db51e29aef16473b5febc21b1f3a8024c8da7c2b7f5600fbc5324713f5fd7c9.exe	29
PID 2104 wrote to memory of 2548	2104	3db51e29aef16473b5febc21b1f3a8024c8da7c2b7f5600fbc5324713f5fd7c9.exe	29
PID 2548 wrote to memory of 2440	2548	zqmpr.exe	30
PID 2548 wrote to memory of 2440	2548	zqmpr.exe	30
PID 2548 wrote to memory of 2440	2548	zqmpr.exe	30
PID 2548 wrote to memory of 2440	2548	zqmpr.exe	30
PID 2548 wrote to memory of 2440	2548	zqmpr.exe	30
PID 2548 wrote to memory of 2440	2548	zqmpr.exe	30
PID 2548 wrote to memory of 2440	2548	zqmpr.exe	30
PID 1364 wrote to memory of 1372	1364	Explorer.EXE	32
PID 1364 wrote to memory of 1372	1364	Explorer.EXE	32
PID 1364 wrote to memory of 1372	1364	Explorer.EXE	32
PID 1364 wrote to memory of 1372	1364	Explorer.EXE	32
PID 1364 wrote to memory of 1372	1364	Explorer.EXE	32
PID 1364 wrote to memory of 1372	1364	Explorer.EXE	32
PID 1364 wrote to memory of 1372	1364	Explorer.EXE	32
PID 1372 wrote to memory of 2908	1372	cmstp.exe	33
PID 1372 wrote to memory of 2908	1372	cmstp.exe	33
PID 1372 wrote to memory of 2908	1372	cmstp.exe	33
PID 1372 wrote to memory of 2908	1372	cmstp.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\3db51e29aef16473b5febc21b1f3a8024c8da7c2b7f5600fbc5324713f5fd7c9.exe
  "C:\Users\Admin\AppData\Local\Temp\3db51e29aef16473b5febc21b1f3a8024c8da7c2b7f5600fbc5324713f5fd7c9.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\zqmpr.exe
    C:\Users\Admin\AppData\Local\Temp\zqmpr.exe C:\Users\Admin\AppData\Local\Temp\xjfzjtquol
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\zqmpr.exe
      C:\Users\Admin\AppData\Local\Temp\zqmpr.exe C:\Users\Admin\AppData\Local\Temp\xjfzjtquol
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2440
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2800
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\zqmpr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gj583cj9xaqbtzj

Filesize
211KB

MD5
711f2b058ad98319923accd36d79ddee

SHA1
3519abfca77a106b3b680bbaa566c5560e477253

SHA256
4e174dec50f4c982f183929b95fcbdd377e08066ec178f9ce80a6924d3cc822c

SHA512
8554704df1f7f57bd027d399951fc62c2d999be22d3dc2ed7b4c4b23ac4148e06f1c85a9b25960da8803392311f0988e830a09475c66a6c2a300ffc311c10a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjfzjtquol

Filesize
4KB

MD5
9e3fc120951e68dc589ef2d90234eafc

SHA1
d62882da2c7fd141490e3e96bd8a620e027c2981

SHA256
8529b99c3b895869d6fa1b8ca62e00f2226e0ef86caa84ab40540cfd57fcd6ee

SHA512
68b802b535ecf2b6cbee597bb16de2cc7b333986e201499046136476168baa2faac6e27bbeae8019f99cde8adf55bd6068791f6018a1a4117de10c990d2a2e53

Download Submit
\Users\Admin\AppData\Local\Temp\zqmpr.exe

Filesize
168KB

MD5
ce74b4dac6b9802e4706f44a435a039d

SHA1
592ec006650f8d45a6082cf4d13644133208be35

SHA256
d5604be362dd75dd20212e628dfbf6eb894e0ed6dd4e31aa09b50fef60dcdcc3

SHA512
5fc8a5f9719f7f258594b04d10a172899b470c1ee06949d9e9a1b2c8a4fe0d0472c5feec62271c4c0ebe27caa0fc704992ca0729d952a92862cf2746621ec6bb

Download Submit
memory/1364-17-0x0000000007330000-0x00000000074AE000-memory.dmp

Filesize
1.5MB

Download
memory/1364-23-0x0000000007330000-0x00000000074AE000-memory.dmp

Filesize
1.5MB

Download
memory/1372-20-0x0000000000760000-0x0000000000778000-memory.dmp

Filesize
96KB

Download
memory/1372-21-0x0000000000760000-0x0000000000778000-memory.dmp

Filesize
96KB

Download
memory/1372-22-0x00000000000D0000-0x00000000000F9000-memory.dmp

Filesize
164KB

Download
memory/2440-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2440-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2548-8-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing