xloader | db3fbdb673047b9b6705b18118f81d1714091ee1d6de2db2897cd3bdeba8a510

General

Target

3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe
Size

1.2MB
MD5

2875b6d653a9311f91e1a2f28e5538e1
SHA1

6f13158f25a54b1631ce935f90db7e3daaf4257f
SHA256

3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff
SHA512

6849621b598210ead54cfff112f0f0d571f0caf72cca48349b4471817a567ff83b134e302011fda84a8421337961a6b5d25bda8d528da54451a329dec1ac7b85
SSDEEP

24576:PSWnZPFYyblhB2PLKuUSxztfzvYIDWrWdT:ryK12D7DxpfzgHrW

Score

10^/10

xloader 6mam discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

6mam

Decoy

gxduoke.com

lawmetricssolicitors.com

e-bizbox.com

ilovemehoodie.com

marcuslafond.com

bransolute.com

kuppers.info

kykyryky.art

vavasoo.com

tlamj.com

besport24.com

hibachiexpressnctogo.com

elglink99.com

maximos.world

uniamaa.com

aladinfarma.com

opticatervisof.com

delhibudokankarate.com

juliekifyukstyle.com

fuzhourexian.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4912-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3592 set thread context of 4912	3592	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe	93

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3592	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe
3592	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe
3592	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe
3592	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe
4912	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe
4912	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3592	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 2444	3592	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe	91
PID 3592 wrote to memory of 2444	3592	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe	91
PID 3592 wrote to memory of 2444	3592	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe	91
PID 3592 wrote to memory of 2300	3592	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe	92
PID 3592 wrote to memory of 2300	3592	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe	92
PID 3592 wrote to memory of 2300	3592	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe	92
PID 3592 wrote to memory of 4912	3592	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe	93
PID 3592 wrote to memory of 4912	3592	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe	93
PID 3592 wrote to memory of 4912	3592	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe	93
PID 3592 wrote to memory of 4912	3592	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe	93
PID 3592 wrote to memory of 4912	3592	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe	93
PID 3592 wrote to memory of 4912	3592	3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe	93

C:\Users\Admin\AppData\Local\Temp\3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe
"C:\Users\Admin\AppData\Local\Temp\3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Users\Admin\AppData\Local\Temp\3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe
  "C:\Users\Admin\AppData\Local\Temp\3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe"
  2⤵
  PID:2444
- C:\Users\Admin\AppData\Local\Temp\3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe
  "C:\Users\Admin\AppData\Local\Temp\3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe"
  2⤵
  PID:2300
- C:\Users\Admin\AppData\Local\Temp\3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe
  "C:\Users\Admin\AppData\Local\Temp\3a30a00f6eab6a14476db7139c5512302b5fff48a3111ccb6ae8e0964213f8ff.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3592-8-0x00000000088B0000-0x00000000088C8000-memory.dmp

Filesize
96KB

Download
memory/3592-9-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

Filesize
4KB

Download
memory/3592-2-0x0000000005AE0000-0x0000000005B7C000-memory.dmp

Filesize
624KB

Download
memory/3592-3-0x0000000006130000-0x00000000066D4000-memory.dmp

Filesize
5.6MB

Download
memory/3592-4-0x0000000005C20000-0x0000000005CB2000-memory.dmp

Filesize
584KB

Download
memory/3592-5-0x0000000005B80000-0x0000000005B8A000-memory.dmp

Filesize
40KB

Download
memory/3592-1-0x0000000000FC0000-0x00000000010EE000-memory.dmp

Filesize
1.2MB

Download
memory/3592-6-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/3592-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

Filesize
4KB

Download
memory/3592-7-0x0000000005DB0000-0x0000000005E06000-memory.dmp

Filesize
344KB

Download
memory/3592-10-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/3592-11-0x0000000008DB0000-0x0000000008E4E000-memory.dmp

Filesize
632KB

Download
memory/3592-12-0x000000000B550000-0x000000000B57E000-memory.dmp

Filesize
184KB

Download
memory/3592-15-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/4912-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4912-16-0x0000000001310000-0x000000000165A000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing