xloader | 6c0778694e8a39f2eb2e6da0ec2b51dfc109aeee5402a53dac9bffac511f5ef9

General

Target

433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe
Size

1.1MB
MD5

9f370c2fc3e45cf57abc978111e17955
SHA1

5f5d4287f9be36e79b28869c4306b6ba0a32a49e
SHA256

433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2
SHA512

555f3f1fc874e904dce1861db826c567640899e4fd65fc380e2df0502ba39e2710fc208d89fc06c9ef7cb3d97a116045714f1ef6c538b3105faa8e15d0f6d213
SSDEEP

24576:19tbAka1AdQY/Pmazg0n5f9l6PIYpbjb6:1XbAka1AdrO8D5FcxbH

Score

10^/10

xloader iuem discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

iuem

Decoy

agileatefoundation.com

preheimphotography.com

blueivymart.com

magetu.info

sunayah.com

gulumsecafe.com

belveder.net

pumpkinmangaming.com

playd6plus.com

thuanland.com

blacklivesmatterforreal.com

enviromentalco.com

ferronnstyle.com

mrbeagleshop.com

whmlqx.com

unifiedfederal.com

purest-you.com

ashleymartinonline.com

bayareaportraitphotographer.com

ysnrjelx.icu

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2368-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 428 set thread context of 2368	428	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe	104

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
428	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe
428	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe
428	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe
428	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe
428	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe
2368	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe
2368	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	428	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 3472	428	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe	102
PID 428 wrote to memory of 3472	428	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe	102
PID 428 wrote to memory of 3472	428	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe	102
PID 428 wrote to memory of 3444	428	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe	103
PID 428 wrote to memory of 3444	428	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe	103
PID 428 wrote to memory of 3444	428	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe	103
PID 428 wrote to memory of 2368	428	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe	104
PID 428 wrote to memory of 2368	428	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe	104
PID 428 wrote to memory of 2368	428	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe	104
PID 428 wrote to memory of 2368	428	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe	104
PID 428 wrote to memory of 2368	428	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe	104
PID 428 wrote to memory of 2368	428	433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe	104

C:\Users\Admin\AppData\Local\Temp\433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe
"C:\Users\Admin\AppData\Local\Temp\433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428
- C:\Users\Admin\AppData\Local\Temp\433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe
  "C:\Users\Admin\AppData\Local\Temp\433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe"
  2⤵
  PID:3472
- C:\Users\Admin\AppData\Local\Temp\433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe
  "C:\Users\Admin\AppData\Local\Temp\433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe"
  2⤵
  PID:3444
- C:\Users\Admin\AppData\Local\Temp\433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe
  "C:\Users\Admin\AppData\Local\Temp\433c9b077a6f8983fadf6831ff9a02d3105b5b32c325705f3d9c7687a0e968a2.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/428-8-0x0000000004B60000-0x0000000004B76000-memory.dmp

Filesize
88KB

Download
memory/428-4-0x0000000005220000-0x00000000052B2000-memory.dmp

Filesize
584KB

Download
memory/428-0-0x000000007455E000-0x000000007455F000-memory.dmp

Filesize
4KB

Download
memory/428-3-0x0000000005730000-0x0000000005CD4000-memory.dmp

Filesize
5.6MB

Download
memory/428-9-0x000000007455E000-0x000000007455F000-memory.dmp

Filesize
4KB

Download
memory/428-5-0x00000000051A0000-0x00000000051AA000-memory.dmp

Filesize
40KB

Download
memory/428-6-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/428-10-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/428-2-0x00000000050E0000-0x000000000517C000-memory.dmp

Filesize
624KB

Download
memory/428-1-0x00000000005E0000-0x0000000000708000-memory.dmp

Filesize
1.2MB

Download
memory/428-7-0x0000000005440000-0x0000000005496000-memory.dmp

Filesize
344KB

Download
memory/428-11-0x0000000007E10000-0x0000000007E8C000-memory.dmp

Filesize
496KB

Download
memory/428-12-0x0000000006800000-0x0000000006834000-memory.dmp

Filesize
208KB

Download
memory/428-15-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/2368-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2368-16-0x0000000001340000-0x000000000168A000-memory.dmp

Filesize
3.3MB

Download
memory/2368-17-0x0000000001340000-0x000000000168A000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing