xloader | 7ddfdaeede228d26fdcb95ba82efd2f3aed707330b9bc9e926c5728d6773a444

General

Target

EPDA MV.Sweet Lady.lll_pdf.exe
Size

205KB
MD5

a89f3213f565db4ec7d6daa25ccf5bb5
SHA1

8764eccfa6c1689d8cfe90a652becce02ad94692
SHA256

0bc4d1e45ab93d84a42b64fc2d0514440e13dc7afbed98e51e38f1d5d5229844
SHA512

405cc3880b2eafc91f5cf06175b21de2f4d9b534db7dcc7f42325891d1573cde6b80646e72ddcbd7366610a5cb1bc2000f3de524b667310b7fb03d42167f29dd
SSDEEP

6144:r9X0GfXLULFwWCnObVvM7FroK5W9JuqJ4d:F0qX45sObyloK5WXTOd

Score

10^/10

xloader oean discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

oean

Decoy

kallitheasolutions.com

k-kard.com

mattvasilevski.com

gralg.com

lpbbxsfwwp.xyz

sahinligrup.com

forestgreens.club

qianduoduo.ink

futbolzone.site

rulesofvegas.com

theternarygroup.com

basenic.club

profitcenterresearch.com

cottonwoodcollection.com

chicagosecuritygates.com

hochfranken-feuilleton.com

carpetilo.com

adapt-2-nature.com

shasyaveda.com

altinovahotel.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2960-13-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/2960-17-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/3008-23-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

pid	Process
368	c0qit2o.exe
2960	c0qit2o.exe

Loads dropped DLL 3 IoCs

pid	Process
3016	EPDA MV.Sweet Lady.lll_pdf.exe
368	c0qit2o.exe
368	c0qit2o.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 368 set thread context of 2960	368	c0qit2o.exe	31
PID 2960 set thread context of 1204	2960	c0qit2o.exe	20
PID 3008 set thread context of 1204	3008	raserver.exe	20

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	raserver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EPDA MV.Sweet Lady.lll_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0qit2o.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
368	c0qit2o.exe
368	c0qit2o.exe
368	c0qit2o.exe
368	c0qit2o.exe
2960	c0qit2o.exe
2960	c0qit2o.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe
3008	raserver.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
368	c0qit2o.exe
2960	c0qit2o.exe
2960	c0qit2o.exe
2960	c0qit2o.exe
3008	raserver.exe
3008	raserver.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	c0qit2o.exe
Token: SeDebugPrivilege	3008	raserver.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 368	3016	EPDA MV.Sweet Lady.lll_pdf.exe	29
PID 3016 wrote to memory of 368	3016	EPDA MV.Sweet Lady.lll_pdf.exe	29
PID 3016 wrote to memory of 368	3016	EPDA MV.Sweet Lady.lll_pdf.exe	29
PID 3016 wrote to memory of 368	3016	EPDA MV.Sweet Lady.lll_pdf.exe	29
PID 368 wrote to memory of 2960	368	c0qit2o.exe	31
PID 368 wrote to memory of 2960	368	c0qit2o.exe	31
PID 368 wrote to memory of 2960	368	c0qit2o.exe	31
PID 368 wrote to memory of 2960	368	c0qit2o.exe	31
PID 368 wrote to memory of 2960	368	c0qit2o.exe	31
PID 1204 wrote to memory of 3008	1204	Explorer.EXE	32
PID 1204 wrote to memory of 3008	1204	Explorer.EXE	32
PID 1204 wrote to memory of 3008	1204	Explorer.EXE	32
PID 1204 wrote to memory of 3008	1204	Explorer.EXE	32
PID 3008 wrote to memory of 2988	3008	raserver.exe	33
PID 3008 wrote to memory of 2988	3008	raserver.exe	33
PID 3008 wrote to memory of 2988	3008	raserver.exe	33
PID 3008 wrote to memory of 2988	3008	raserver.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\EPDA MV.Sweet Lady.lll_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\EPDA MV.Sweet Lady.lll_pdf.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\c0qit2o.exe
    "C:\Users\Admin\AppData\Local\Temp\c0qit2o.exe" "C:\Users\Admin\AppData\Local\Temp\3bp6xookqs5b.dll" "C:\Users\Admin\AppData\Local\Temp\rngdwqew.pa"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:368
  - - C:\Users\Admin\AppData\Local\Temp\c0qit2o.exe
      "C:\Users\Admin\AppData\Local\Temp\c0qit2o.exe" "C:\Users\Admin\AppData\Local\Temp\3bp6xookqs5b.dll" "C:\Users\Admin\AppData\Local\Temp\rngdwqew.pa"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2960
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\c0qit2o.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rngdwqew.pa

Filesize
160KB

MD5
01c084425646663c72aca37f6d264116

SHA1
0e386be132328bd1c43d811be34c02b2a1bd80ad

SHA256
80c94eec38b6643d285080dfdb4aaf80d0657c05745df2f2c87538286d64777f

SHA512
acdb151145d06703516368ff46f4cd46c80280a90ac98700668c39fddfb3dbbd661721004dabdaab6902eb33788c852c9507a0dc591a1445e169f2a54e1de857

Download Submit
\Users\Admin\AppData\Local\Temp\3bp6xookqs5b.dll

Filesize
11KB

MD5
ee224cf89c92d8b8d08cbd9dc183e6a7

SHA1
8ab4416951d706730fdcf9422ac39a7308bd3443

SHA256
bd5ba137ea2f0162b1baaa6483f5f8d56a3327818c0c96a2b04842638625a8f3

SHA512
261a568b8b3ee4a3b8fef2dd99889495ef91c05a1e593c23d36ebb495872e6623f8be20630a52126dbde8720aabd24f047b3cc654f744afe9310a4da01702005

Download Submit
\Users\Admin\AppData\Local\Temp\c0qit2o.exe

Filesize
3KB

MD5
2632c0058c899f8a94077b5abab7cc96

SHA1
2b2e620c7964d27828f903ebe4cf9359390a5f06

SHA256
10241509299a29e8bd8c016b7ede6703a00915f65ae5165268f58bae93cdf37e

SHA512
a662a4ff0bfe8fafd3216ec98930a9805b8771d05fb803d3d9a9a99ce04e145ae60bcc4ed63574c712994e6aec90f03a1900a64e6a0021d010b0f016913d801e

Download Submit
memory/368-9-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/368-15-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1204-24-0x0000000004B20000-0x0000000004C4F000-memory.dmp

Filesize
1.2MB

Download
memory/1204-32-0x0000000004250000-0x00000000042F5000-memory.dmp

Filesize
660KB

Download
memory/1204-18-0x0000000004B20000-0x0000000004C4F000-memory.dmp

Filesize
1.2MB

Download
memory/1204-30-0x0000000004250000-0x00000000042F5000-memory.dmp

Filesize
660KB

Download
memory/1204-29-0x0000000004250000-0x00000000042F5000-memory.dmp

Filesize
660KB

Download
memory/1204-26-0x0000000002C60000-0x0000000002D60000-memory.dmp

Filesize
1024KB

Download
memory/2960-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2960-17-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3008-23-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/3008-22-0x0000000000330000-0x000000000034C000-memory.dmp

Filesize
112KB

Download
memory/3008-21-0x0000000000330000-0x000000000034C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing