xloader | cacb6d35444a261d49962f30f25fa39950bef34049ab6452f58ce80c71d97ed6

General

Target

jkdgfjdksjjs.exe
Size

307KB
MD5

f8693bc45ac1f9a8acdd9bc061ad3c2e
SHA1

b988fd20ffd3b96c4e38783d280b3e35b48ccbfb
SHA256

5ba1c9a3ebf5b288588742abae0a909ac72b081e1d6273e8e7766f81d6ffa5fb
SHA512

f9361f370f023cc12e3b890a46045d03dbcc0502f5c6ae3a5bdcb44c09e39a020a7db1f76d891a18ab0d819dd9d639d9b3af2ecf377328e17bc94421541b53b3
SSDEEP

6144:TwWDio4om2Ju0v3RP9CrYnhAze5/cK8KtLils6CwsDpdP3m:r+o4om2u0Z9CrYnStK8as2m

Score

10^/10

xloader tod8 discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

tod8

Decoy

shabizy5.com

sattaking-delhiborder01.xyz

venetianmountains.com

vertogaastad.quest

zimalek.com

olympiacrownhotel.com

dubbostorage.online

mosescorrea.com

japanroofing.com

mashareq.store

gdetcz.com

slimmersite.com

aplintec.com

878971.com

charlottesbestroofcompany.com

into-mena.com

newlysupply.com

bianncapace.com

netrew.com

anhecapital.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1932-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1932-16-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1932-20-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2732-27-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

pid	Process
3040	uzumdnygfv.exe
1932	uzumdnygfv.exe

Loads dropped DLL 2 IoCs

pid	Process
1620	jkdgfjdksjjs.exe
3040	uzumdnygfv.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 1932	3040	uzumdnygfv.exe	32
PID 1932 set thread context of 1140	1932	uzumdnygfv.exe	20
PID 1932 set thread context of 1140	1932	uzumdnygfv.exe	20
PID 2732 set thread context of 1140	2732	help.exe	20

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jkdgfjdksjjs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uzumdnygfv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	help.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1932	uzumdnygfv.exe
1932	uzumdnygfv.exe
1932	uzumdnygfv.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe
2732	help.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1932	uzumdnygfv.exe
1932	uzumdnygfv.exe
1932	uzumdnygfv.exe
1932	uzumdnygfv.exe
2732	help.exe
2732	help.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	uzumdnygfv.exe
Token: SeDebugPrivilege	2732	help.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1140	Explorer.EXE
1140	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1140	Explorer.EXE
1140	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 3040	1620	jkdgfjdksjjs.exe	30
PID 1620 wrote to memory of 3040	1620	jkdgfjdksjjs.exe	30
PID 1620 wrote to memory of 3040	1620	jkdgfjdksjjs.exe	30
PID 1620 wrote to memory of 3040	1620	jkdgfjdksjjs.exe	30
PID 3040 wrote to memory of 1932	3040	uzumdnygfv.exe	32
PID 3040 wrote to memory of 1932	3040	uzumdnygfv.exe	32
PID 3040 wrote to memory of 1932	3040	uzumdnygfv.exe	32
PID 3040 wrote to memory of 1932	3040	uzumdnygfv.exe	32
PID 3040 wrote to memory of 1932	3040	uzumdnygfv.exe	32
PID 3040 wrote to memory of 1932	3040	uzumdnygfv.exe	32
PID 3040 wrote to memory of 1932	3040	uzumdnygfv.exe	32
PID 1140 wrote to memory of 2732	1140	Explorer.EXE	34
PID 1140 wrote to memory of 2732	1140	Explorer.EXE	34
PID 1140 wrote to memory of 2732	1140	Explorer.EXE	34
PID 1140 wrote to memory of 2732	1140	Explorer.EXE	34
PID 2732 wrote to memory of 2852	2732	help.exe	35
PID 2732 wrote to memory of 2852	2732	help.exe	35
PID 2732 wrote to memory of 2852	2732	help.exe	35
PID 2732 wrote to memory of 2852	2732	help.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Temp\jkdgfjdksjjs.exe
  "C:\Users\Admin\AppData\Local\Temp\jkdgfjdksjjs.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\uzumdnygfv.exe
    C:\Users\Admin\AppData\Local\Temp\uzumdnygfv.exe C:\Users\Admin\AppData\Local\Temp\rdsgx
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Users\Admin\AppData\Local\Temp\uzumdnygfv.exe
      C:\Users\Admin\AppData\Local\Temp\uzumdnygfv.exe C:\Users\Admin\AppData\Local\Temp\rdsgx
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1932
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\uzumdnygfv.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lmhranw898oy4a3ouvy

Filesize
213KB

MD5
4f77e81f7946fa82c88e5d23e97b2211

SHA1
de3715ab36335cb466e29ddc7825c525f6291cef

SHA256
aad87297ea51c46c5a3eb83ad7581013b70b9c3fde0d7ec517399101102b7efa

SHA512
568519236741317f98a23521d95869088d88f5540dc79185ff6b5605dc8a65ad89339fe685e8e66897eaac0ac39ff5ccdc06399374539395fea3ca62345a37e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdsgx

Filesize
4KB

MD5
5bbfad15b5e497b4c3a63a4eff766607

SHA1
98f1ed9e56c52a422e16615aa2d6987ea7cbcffb

SHA256
5ac571ee6b02395f8170c6f9c0002217c212fdf5b4d1bc6752eebaba84c817a9

SHA512
cda28999d79ec17c1179c3e4773f479bb23ac2d262c1258cc876212feb134736fbbbeb1975936d29d8835fbbba746672037fc7e320a22ff2d08fb08024550d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzumdnygfv.exe

Filesize
116KB

MD5
259e6385e66fb2fb767d9890621d97d5

SHA1
4d1f445199912de9b44ceda0fba6a42eaa73c79a

SHA256
a39611e75ae56a71d3266f2ede64e92ba3fcccca6d626603363d3e8397ed4ed4

SHA512
fb384a1b6767349e4d01c75b173008b839308b4e8c5c23bc0ceb10384be6af2caee22455b1e317abaa93e83ccd98a9b503997c3a51604ca9002539947511b797

Download Submit
memory/1140-28-0x00000000050E0000-0x000000000519B000-memory.dmp

Filesize
748KB

Download
memory/1140-35-0x0000000007530000-0x000000000763A000-memory.dmp

Filesize
1.0MB

Download
memory/1140-34-0x0000000007530000-0x000000000763A000-memory.dmp

Filesize
1.0MB

Download
memory/1140-32-0x0000000007530000-0x000000000763A000-memory.dmp

Filesize
1.0MB

Download
memory/1140-17-0x0000000003160000-0x0000000003260000-memory.dmp

Filesize
1024KB

Download
memory/1140-18-0x00000000066C0000-0x0000000006831000-memory.dmp

Filesize
1.4MB

Download
memory/1140-21-0x00000000066C0000-0x0000000006831000-memory.dmp

Filesize
1.4MB

Download
memory/1140-22-0x00000000050E0000-0x000000000519B000-memory.dmp

Filesize
748KB

Download
memory/1932-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1932-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1932-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2732-25-0x0000000000E10000-0x0000000000E16000-memory.dmp

Filesize
24KB

Download
memory/2732-27-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2732-26-0x0000000000E10000-0x0000000000E16000-memory.dmp

Filesize
24KB

Download
memory/3040-9-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing