xloader | 781ce425460a0a8bd9fdaf68224ca4b8b3f6fdfab953f693367561fd7b76b13c

General

Target

RFI von Aeris Impulsmoebel _RFI-9090.exe
Size

769KB
MD5

ad35195080aaf247005d6ecab3f8db72
SHA1

1d4368b26588323743b5de77995260b2a08d3eab
SHA256

895f390d56ade378e72f343465d78ed3f3f98ab04a3fb3e2e2616184e566b6c5
SHA512

4f8deae3bb1f2c3253583cfb932a545097913aab555b498afc4225a5361d76ea2a704f4fecfcde8d44c0d79129d530d06211a974008ffaba372e738ec1b2215a
SSDEEP

24576:ckygsXzLhX0ab8kLDnyQCjVBW6Ymh6WPa:MFXXV0ab8kXnyQCjrRYg6W

Score

10^/10

xloader witq discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

witq

Decoy

cryptohavenpro.com

zildan.com

buyexcessinventory.com

telecluber.com

whhsdzyl.com

regionalkistel.com

ksusalinabookstore.com

firsttimergears.com

rzpsca.com

sakura-syoukai-t.com

zgvmeiti.com

99000444.com

kerisjatifurniture.com

photoparty.pro

monarchinvestiment.com

hkgjtrade.com

catholicsinglestv.com

nvtdigital.com

mariimportados.com

01mpt.xyz

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/2256-6-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/2256-9-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/2256-16-0x0000000000400000-0x000000000042C000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2564 set thread context of 2256	2564	RFI von Aeris Impulsmoebel _RFI-9090.exe	82
PID 2256 set thread context of 3536	2256	systray.exe	56
PID 2256 set thread context of 3536	2256	systray.exe	56

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RFI von Aeris Impulsmoebel _RFI-9090.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systray.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2564	RFI von Aeris Impulsmoebel _RFI-9090.exe
2564	RFI von Aeris Impulsmoebel _RFI-9090.exe
2564	RFI von Aeris Impulsmoebel _RFI-9090.exe
2564	RFI von Aeris Impulsmoebel _RFI-9090.exe
2564	RFI von Aeris Impulsmoebel _RFI-9090.exe
2564	RFI von Aeris Impulsmoebel _RFI-9090.exe
2564	RFI von Aeris Impulsmoebel _RFI-9090.exe
2564	RFI von Aeris Impulsmoebel _RFI-9090.exe
2256	systray.exe
2256	systray.exe
2256	systray.exe
2256	systray.exe
2564	RFI von Aeris Impulsmoebel _RFI-9090.exe
2564	RFI von Aeris Impulsmoebel _RFI-9090.exe
2256	systray.exe
2256	systray.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2256	systray.exe
2256	systray.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	RFI von Aeris Impulsmoebel _RFI-9090.exe
Token: SeDebugPrivilege	2256	systray.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2256	2564	RFI von Aeris Impulsmoebel _RFI-9090.exe	82
PID 2564 wrote to memory of 2256	2564	RFI von Aeris Impulsmoebel _RFI-9090.exe	82
PID 2564 wrote to memory of 2256	2564	RFI von Aeris Impulsmoebel _RFI-9090.exe	82
PID 2564 wrote to memory of 2256	2564	RFI von Aeris Impulsmoebel _RFI-9090.exe	82
PID 2564 wrote to memory of 2256	2564	RFI von Aeris Impulsmoebel _RFI-9090.exe	82
PID 2564 wrote to memory of 2256	2564	RFI von Aeris Impulsmoebel _RFI-9090.exe	82
PID 2564 wrote to memory of 2256	2564	RFI von Aeris Impulsmoebel _RFI-9090.exe	82

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3536
- C:\Users\Admin\AppData\Local\Temp\RFI von Aeris Impulsmoebel _RFI-9090.exe
  "C:\Users\Admin\AppData\Local\Temp\RFI von Aeris Impulsmoebel _RFI-9090.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\systray.exe
    "C:\Windows\SysWOW64\systray.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2256-6-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2256-16-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2256-17-0x00000000016F0000-0x0000000001701000-memory.dmp

Filesize
68KB

Download
memory/2256-9-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2256-10-0x0000000000FC0000-0x0000000000FD1000-memory.dmp

Filesize
68KB

Download
memory/2256-7-0x0000000001760000-0x0000000001AAA000-memory.dmp

Filesize
3.3MB

Download
memory/2564-4-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/2564-5-0x0000000004E90000-0x0000000004EAA000-memory.dmp

Filesize
104KB

Download
memory/2564-0-0x00000000750CE000-0x00000000750CF000-memory.dmp

Filesize
4KB

Download
memory/2564-3-0x0000000005110000-0x00000000051C8000-memory.dmp

Filesize
736KB

Download
memory/2564-13-0x00000000728B5000-0x00000000728B6000-memory.dmp

Filesize
4KB

Download
memory/2564-14-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/2564-2-0x0000000005070000-0x000000000510C000-memory.dmp

Filesize
624KB

Download
memory/2564-1-0x0000000000420000-0x00000000004E6000-memory.dmp

Filesize
792KB

Download
memory/3536-11-0x0000000002650000-0x0000000002706000-memory.dmp

Filesize
728KB

Download
memory/3536-18-0x0000000006CF0000-0x0000000006DE3000-memory.dmp

Filesize
972KB

Download
memory/3536-19-0x0000000002650000-0x0000000002706000-memory.dmp

Filesize
728KB

Download
memory/3536-20-0x0000000006CF0000-0x0000000006DE3000-memory.dmp

Filesize
972KB

Download

Analysis

Sharing