xloader | 16c7ab46f5e4931cdefb3b1d8f68da319ab955660bf9bc390f2755a7f410dd23

Analysis

max time kernel
147s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 20:33 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order 4566789.exe
Size

838KB
MD5

2d9ded5e11d7f45bf9f534b7257b1759
SHA1

98dc535995c9cf3eb2b448b313e738dd3cfe9da8
SHA256

44642b64aeb3a5366b70e88c307e938aefb25fea2e6f5a5520c8829f19552f9c
SHA512

4d25c22e478a6fae64f147a973a12911148ce408f429f3444df433ecd71fb516495bd717a65b07cc33eade85221d309b7d763d83f45c6fd70c1876d496953d45
SSDEEP

12288:lg8edcf0v6QWTSG1A8FVxlrNStv8Q7BHe40p6pmAupZCmH6hTcWDpMoaU7yo4LPi:lgv6QWTz1dPSt0QFH0KmAum

Score

10^/10

xloader inga discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

inga

Decoy

21sq.xyz

aleimanpaper.com

soulworkerrush.com

lianxiwan.xyz

gorastionse.store

nuhuo333.xyz

greenft.xyz

upisout.com

mgav23.xyz

2day-recv.info

emdestak.com

generatorgmer.xyz

inmyhindi.com

meenubhosale.com

feinquebrantabledoc.com

valgtrizoma.quest

impqtantaou.com

nomorewarnow.com

gmcrjizppcx.mobi

eludice.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2900-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2900-17-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2900-22-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2616-28-0x00000000000D0000-0x00000000000F9000-memory.dmp	xloader

Deletes itself 1 IoCs

pid	Process
2176	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2868 set thread context of 2900	2868	Order 4566789.exe	33
PID 2900 set thread context of 1352	2900	Order 4566789.exe	21
PID 2900 set thread context of 1352	2900	Order 4566789.exe	21
PID 2616 set thread context of 1352	2616	explorer.exe	21

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order 4566789.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2868	Order 4566789.exe
2868	Order 4566789.exe
2868	Order 4566789.exe
2868	Order 4566789.exe
2868	Order 4566789.exe
2868	Order 4566789.exe
2900	Order 4566789.exe
2900	Order 4566789.exe
2900	Order 4566789.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe
2616	explorer.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2900	Order 4566789.exe
2900	Order 4566789.exe
2900	Order 4566789.exe
2900	Order 4566789.exe
2616	explorer.exe
2616	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	Order 4566789.exe
Token: SeDebugPrivilege	2900	Order 4566789.exe
Token: SeDebugPrivilege	2616	explorer.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2572	2868	Order 4566789.exe	30
PID 2868 wrote to memory of 2572	2868	Order 4566789.exe	30
PID 2868 wrote to memory of 2572	2868	Order 4566789.exe	30
PID 2868 wrote to memory of 2572	2868	Order 4566789.exe	30
PID 2868 wrote to memory of 2800	2868	Order 4566789.exe	31
PID 2868 wrote to memory of 2800	2868	Order 4566789.exe	31
PID 2868 wrote to memory of 2800	2868	Order 4566789.exe	31
PID 2868 wrote to memory of 2800	2868	Order 4566789.exe	31
PID 2868 wrote to memory of 2684	2868	Order 4566789.exe	32
PID 2868 wrote to memory of 2684	2868	Order 4566789.exe	32
PID 2868 wrote to memory of 2684	2868	Order 4566789.exe	32
PID 2868 wrote to memory of 2684	2868	Order 4566789.exe	32
PID 2868 wrote to memory of 2900	2868	Order 4566789.exe	33
PID 2868 wrote to memory of 2900	2868	Order 4566789.exe	33
PID 2868 wrote to memory of 2900	2868	Order 4566789.exe	33
PID 2868 wrote to memory of 2900	2868	Order 4566789.exe	33
PID 2868 wrote to memory of 2900	2868	Order 4566789.exe	33
PID 2868 wrote to memory of 2900	2868	Order 4566789.exe	33
PID 2868 wrote to memory of 2900	2868	Order 4566789.exe	33
PID 1352 wrote to memory of 2616	1352	Explorer.EXE	34
PID 1352 wrote to memory of 2616	1352	Explorer.EXE	34
PID 1352 wrote to memory of 2616	1352	Explorer.EXE	34
PID 1352 wrote to memory of 2616	1352	Explorer.EXE	34
PID 2616 wrote to memory of 2176	2616	explorer.exe	35
PID 2616 wrote to memory of 2176	2616	explorer.exe	35
PID 2616 wrote to memory of 2176	2616	explorer.exe	35
PID 2616 wrote to memory of 2176	2616	explorer.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\Order 4566789.exe
  "C:\Users\Admin\AppData\Local\Temp\Order 4566789.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\Order 4566789.exe
    "{path}"
    3⤵
    PID:2572
- - C:\Users\Admin\AppData\Local\Temp\Order 4566789.exe
    "{path}"
    3⤵
    PID:2800
- - C:\Users\Admin\AppData\Local\Temp\Order 4566789.exe
    "{path}"
    3⤵
    PID:2684
- - C:\Users\Admin\AppData\Local\Temp\Order 4566789.exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Order 4566789.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1352-19-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1352-31-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1352-29-0x0000000006FF0000-0x0000000007192000-memory.dmp

Filesize
1.6MB

Download
memory/1352-25-0x0000000006FF0000-0x0000000007192000-memory.dmp

Filesize
1.6MB

Download
memory/1352-24-0x00000000064E0000-0x00000000065A9000-memory.dmp

Filesize
804KB

Download
memory/1352-20-0x00000000064E0000-0x00000000065A9000-memory.dmp

Filesize
804KB

Download
memory/2616-28-0x00000000000D0000-0x00000000000F9000-memory.dmp

Filesize
164KB

Download
memory/2616-27-0x0000000000560000-0x00000000007E1000-memory.dmp

Filesize
2.5MB

Download
memory/2616-26-0x0000000000560000-0x00000000007E1000-memory.dmp

Filesize
2.5MB

Download
memory/2868-14-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2868-7-0x0000000002100000-0x0000000002130000-memory.dmp

Filesize
192KB

Download
memory/2868-1-0x00000000001A0000-0x0000000000278000-memory.dmp

Filesize
864KB

Download
memory/2868-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/2868-2-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2868-3-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/2868-4-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/2868-5-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2868-6-0x0000000005070000-0x00000000050F2000-memory.dmp

Filesize
520KB

Download
memory/2900-18-0x0000000000180000-0x0000000000191000-memory.dmp

Filesize
68KB

Download
memory/2900-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2900-23-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download
memory/2900-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2900-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2900-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2900-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2900-15-0x0000000000A00000-0x0000000000D03000-memory.dmp

Filesize
3.0MB

Download
memory/2900-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download