xloader | 8b8939bb5e3ad0c837d2ae0c901564f444570e5670befe5e09c47332cdbb7c25

General

Target

Scan_Doc.exe
Size

461KB
MD5

fe8f6ef45a87a9819d6e0ef206ae52dd
SHA1

1a0528c6e8d7b53ff1769a10d5cf5fa74cff3f06
SHA256

8c324ae28916d1fa2212f49fd7eebde3606f428d30a122109570070a455a8b21
SHA512

e1d6375e37dee7ffb0f370d5efb8cd6e121d2f8e208de621685a8bb4772e84deec29ff0e9959459f3d2bd79db1e1cecec9f052e4fa3a3330feae20dc12969b1e
SSDEEP

12288:7dKErHAyCCQTKAvVsH9W6Q8V6IuoMv56pKcfsF:xKEUZCWNaU1kg6wL

Score

10^/10

xloader md4m discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

md4m

Decoy

thegreenroomak.net

boxingforfitness.info

hynejubelured.com

elektrocentralybenza.online

getinteriorsolution.com

ajctrade.ltd

boytoyporn.com

charlotteetlachocolaterie.fr

martens-suomi.com

colesfax.com

laksmanawarehouse.com

extraordinarymiracle.com

hunttools.info

ofertasdesuvsinfosmex.com

banphimipad.com

jingjiguanchabao.com

keepourassets.com

haveitmore.com

bleuredmedia.com

hsgerontech.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2040-11-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2040-9-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2040-15-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1376-22-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Deletes itself 1 IoCs

pid	Process
2880	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1668	Scan_Doc.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 2040	1668	Scan_Doc.exe	31
PID 2040 set thread context of 1408	2040	Scan_Doc.exe	21
PID 2040 set thread context of 1408	2040	Scan_Doc.exe	21
PID 1376 set thread context of 1408	1376	ipconfig.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Scan_Doc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1376	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2040	Scan_Doc.exe
2040	Scan_Doc.exe
2040	Scan_Doc.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe
1376	ipconfig.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2040	Scan_Doc.exe
2040	Scan_Doc.exe
2040	Scan_Doc.exe
2040	Scan_Doc.exe
1376	ipconfig.exe
1376	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	Scan_Doc.exe
Token: SeDebugPrivilege	1376	ipconfig.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2040	1668	Scan_Doc.exe	31
PID 1668 wrote to memory of 2040	1668	Scan_Doc.exe	31
PID 1668 wrote to memory of 2040	1668	Scan_Doc.exe	31
PID 1668 wrote to memory of 2040	1668	Scan_Doc.exe	31
PID 1668 wrote to memory of 2040	1668	Scan_Doc.exe	31
PID 1668 wrote to memory of 2040	1668	Scan_Doc.exe	31
PID 1668 wrote to memory of 2040	1668	Scan_Doc.exe	31
PID 1408 wrote to memory of 1376	1408	Explorer.EXE	32
PID 1408 wrote to memory of 1376	1408	Explorer.EXE	32
PID 1408 wrote to memory of 1376	1408	Explorer.EXE	32
PID 1408 wrote to memory of 1376	1408	Explorer.EXE	32
PID 1376 wrote to memory of 2880	1376	ipconfig.exe	33
PID 1376 wrote to memory of 2880	1376	ipconfig.exe	33
PID 1376 wrote to memory of 2880	1376	ipconfig.exe	33
PID 1376 wrote to memory of 2880	1376	ipconfig.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\Scan_Doc.exe
  "C:\Users\Admin\AppData\Local\Temp\Scan_Doc.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\Scan_Doc.exe
    "C:\Users\Admin\AppData\Local\Temp\Scan_Doc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Scan_Doc.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsjE754.tmp\aapez.dll

Filesize
355KB

MD5
efab3fb0e77806bfa18185bf2f3b8047

SHA1
d4d56f97e29be2d095baea32ac802ac34d5df8f5

SHA256
9dc23ec35cbf336e98d2c7c59676d358113ff2340863daf327bc85b1f9fbf4ed

SHA512
d99f844ece5cc22f11f8da74510fbe547bc20e11167ceed583aeab93877148464c3ad20f71e910dd5be0dcb0703a9900cd2d13d8ff6ba6fe91e29f0bb85019ee

Download Submit
memory/1376-21-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/1376-22-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1376-20-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/1408-12-0x0000000003AC0000-0x0000000003CC0000-memory.dmp

Filesize
2.0MB

Download
memory/1408-23-0x0000000006640000-0x00000000066F9000-memory.dmp

Filesize
740KB

Download
memory/1408-13-0x0000000006E90000-0x0000000006FD5000-memory.dmp

Filesize
1.3MB

Download
memory/1408-16-0x0000000006E90000-0x0000000006FD5000-memory.dmp

Filesize
1.3MB

Download
memory/1408-17-0x0000000006640000-0x00000000066F9000-memory.dmp

Filesize
740KB

Download
memory/1668-7-0x0000000074F46000-0x0000000074F48000-memory.dmp

Filesize
8KB

Download
memory/2040-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2040-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2040-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing