xloader | a4336bf3d57e83de94cf7e76c06df4b04f6041e646b073d873e6746f61743a0f

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe
Size

1.0MB
MD5

9d73b42ce002d0964ac552c4a8be3652
SHA1

86942687836cc75e082399acafefcf17f40c6606
SHA256

f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70
SHA512

4d768f775e56ca96898657d908c062056f94c69e8765bec277df6c5f9f359446771c17988488836c7e7c281200ced151983e1b690161bd60ff9f2394715889d0
SSDEEP

12288:Wx76RAQOEhGkEHIxZEfzZXbpC+MRxkhxSU739+MAC80dRXXr3SONMTW2KgcYM8+M:YadgVOExA+LQG2CpzXXrNns

Score

10^/10

xloader nbm3 discovery evasion loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nbm3

Decoy

3881a.com

abutuandui.com

halo-airs.com

nu865ci.com

fssqyd.com

pacificsunseattle.com

sellyourfobs.com

eniso-team.com

ciscenjedpffiltera.com

furriekids.com

dspotsg.com

amanispartydecor.com

wrih.top

rab-verlopen-pas.icu

alircep.com

rangeroads.com

bugattiveyronhypercarnft.com

dominera.net

jux565.com

licenseoriginal.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/1720-9-0x0000000000400000-0x0000000000431000-memory.dmp	xloader
behavioral2/memory/1720-12-0x0000000000400000-0x0000000000431000-memory.dmp	xloader
behavioral2/memory/2064-19-0x0000000000B40000-0x0000000000B69000-memory.dmp	xloader

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4816 set thread context of 1720	4816	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe	83
PID 1720 set thread context of 3412	1720	DevicePairingWizard.exe	56
PID 2064 set thread context of 3412	2064	msdt.exe	56

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DevicePairingWizard.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4816	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe
4816	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe
4816	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe
4816	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe
4816	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe
4816	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe
4816	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe
4816	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe
1720	DevicePairingWizard.exe
1720	DevicePairingWizard.exe
1720	DevicePairingWizard.exe
1720	DevicePairingWizard.exe
4816	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe
4816	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe
2064	msdt.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1720	DevicePairingWizard.exe
1720	DevicePairingWizard.exe
1720	DevicePairingWizard.exe
2064	msdt.exe
2064	msdt.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4816	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe
Token: SeDebugPrivilege	1720	DevicePairingWizard.exe
Token: SeDebugPrivilege	2064	msdt.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 1720	4816	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe	83
PID 4816 wrote to memory of 1720	4816	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe	83
PID 4816 wrote to memory of 1720	4816	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe	83
PID 4816 wrote to memory of 1720	4816	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe	83
PID 4816 wrote to memory of 1720	4816	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe	83
PID 4816 wrote to memory of 1720	4816	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe	83
PID 4816 wrote to memory of 1720	4816	f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe	83
PID 3412 wrote to memory of 2064	3412	Explorer.EXE	84
PID 3412 wrote to memory of 2064	3412	Explorer.EXE	84
PID 3412 wrote to memory of 2064	3412	Explorer.EXE	84
PID 2064 wrote to memory of 4664	2064	msdt.exe	89
PID 2064 wrote to memory of 4664	2064	msdt.exe	89
PID 2064 wrote to memory of 4664	2064	msdt.exe	89

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Users\Admin\AppData\Local\Temp\f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe
  "C:\Users\Admin\AppData\Local\Temp\f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Maps connected drives based on registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\DevicePairingWizard.exe
    "C:\Windows\SysWOW64\DevicePairingWizard.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\DevicePairingWizard.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1720-9-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1720-12-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1720-13-0x0000000000DD0000-0x0000000000DE1000-memory.dmp

Filesize
68KB

Download
memory/1720-10-0x00000000011C0000-0x000000000150A000-memory.dmp

Filesize
3.3MB

Download
memory/2064-17-0x0000000000270000-0x00000000002C7000-memory.dmp

Filesize
348KB

Download
memory/2064-18-0x0000000000270000-0x00000000002C7000-memory.dmp

Filesize
348KB

Download
memory/2064-19-0x0000000000B40000-0x0000000000B69000-memory.dmp

Filesize
164KB

Download
memory/3412-14-0x0000000003390000-0x000000000345A000-memory.dmp

Filesize
808KB

Download
memory/3412-20-0x0000000003390000-0x000000000345A000-memory.dmp

Filesize
808KB

Download
memory/3412-25-0x0000000008FD0000-0x0000000009108000-memory.dmp

Filesize
1.2MB

Download
memory/3412-24-0x0000000008FD0000-0x0000000009108000-memory.dmp

Filesize
1.2MB

Download
memory/4816-16-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/4816-1-0x0000000000E60000-0x0000000000F6E000-memory.dmp

Filesize
1.1MB

Download
memory/4816-5-0x0000000005AD0000-0x0000000005B90000-memory.dmp

Filesize
768KB

Download
memory/4816-8-0x0000000007500000-0x0000000007566000-memory.dmp

Filesize
408KB

Download
memory/4816-0-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/4816-7-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/4816-6-0x0000000005920000-0x000000000593C000-memory.dmp

Filesize
112KB

Download
memory/4816-2-0x0000000005E50000-0x00000000063F4000-memory.dmp

Filesize
5.6MB

Download
memory/4816-3-0x0000000005980000-0x0000000005A12000-memory.dmp

Filesize
584KB

Download
memory/4816-4-0x0000000005A20000-0x0000000005ABC000-memory.dmp

Filesize
624KB

Download