xloader | ca19432da459c894d6886030b078a5a132fa244aaaff0433f95bf888b586530d

General

Target

3824f68042b243ff952a0184baaca8ede5c254821a8ec8e8be9fa86224ddbc55.exe
Size

337KB
MD5

1e9e125ed34109f2c640b25538185cac
SHA1

89faa5b5789eb1633ca74ee15d34c16c0b0cf174
SHA256

3824f68042b243ff952a0184baaca8ede5c254821a8ec8e8be9fa86224ddbc55
SHA512

b5a98b361d7006b12570b15ef28d5fdc41f274db6e95e9eea7ec6f08736676b630ad2bb0347aecb7bca9433a5f31eafa6f3bd72dd504ec4ec61dc01e06d0c1ee
SSDEEP

6144:rGiPGY4OddUWhpyRJ5Q/cd78kxpAX1F1NIyEA29o7EJYUlhZIzPW:yY4Opyb5Q/cV8kxGX1FMaFEJVpcW

Score

10^/10

xloader nqs9 discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nqs9

Decoy

lgingood.com

shopgeti.com

christianuomo.com

sportsxuk.com

markidesignstore.com

tjhuoliao.com

docomobb.xyz

ilrespirodelmare.com

kfconline.rest

paramusrepair.com

w3zand.com

unguamtruppe.quest

bethesdagardensloveland.net

bostonstretchlimousine.com

yycsmj.net

creatorgela.com

bestalcoholfreebeer.com

jorgeforfr.com

dlzxd.com

rajaranicoupon.xyz

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2944-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2944-16-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2944-21-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2840-28-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

pid	Process
2820	kczbgk.exe
2944	kczbgk.exe

Loads dropped DLL 2 IoCs

pid	Process
2880	3824f68042b243ff952a0184baaca8ede5c254821a8ec8e8be9fa86224ddbc55.exe
2820	kczbgk.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2820 set thread context of 2944	2820	kczbgk.exe	31
PID 2944 set thread context of 1188	2944	kczbgk.exe	21
PID 2944 set thread context of 1188	2944	kczbgk.exe	21
PID 2840 set thread context of 1188	2840	wininit.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3824f68042b243ff952a0184baaca8ede5c254821a8ec8e8be9fa86224ddbc55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kczbgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wininit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2944	kczbgk.exe
2944	kczbgk.exe
2944	kczbgk.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe
2840	wininit.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2944	kczbgk.exe
2944	kczbgk.exe
2944	kczbgk.exe
2944	kczbgk.exe
2840	wininit.exe
2840	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	kczbgk.exe
Token: SeDebugPrivilege	2840	wininit.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2820	2880	3824f68042b243ff952a0184baaca8ede5c254821a8ec8e8be9fa86224ddbc55.exe	30
PID 2880 wrote to memory of 2820	2880	3824f68042b243ff952a0184baaca8ede5c254821a8ec8e8be9fa86224ddbc55.exe	30
PID 2880 wrote to memory of 2820	2880	3824f68042b243ff952a0184baaca8ede5c254821a8ec8e8be9fa86224ddbc55.exe	30
PID 2880 wrote to memory of 2820	2880	3824f68042b243ff952a0184baaca8ede5c254821a8ec8e8be9fa86224ddbc55.exe	30
PID 2820 wrote to memory of 2944	2820	kczbgk.exe	31
PID 2820 wrote to memory of 2944	2820	kczbgk.exe	31
PID 2820 wrote to memory of 2944	2820	kczbgk.exe	31
PID 2820 wrote to memory of 2944	2820	kczbgk.exe	31
PID 2820 wrote to memory of 2944	2820	kczbgk.exe	31
PID 2820 wrote to memory of 2944	2820	kczbgk.exe	31
PID 2820 wrote to memory of 2944	2820	kczbgk.exe	31
PID 1188 wrote to memory of 2840	1188	Explorer.EXE	32
PID 1188 wrote to memory of 2840	1188	Explorer.EXE	32
PID 1188 wrote to memory of 2840	1188	Explorer.EXE	32
PID 1188 wrote to memory of 2840	1188	Explorer.EXE	32
PID 2840 wrote to memory of 2676	2840	wininit.exe	33
PID 2840 wrote to memory of 2676	2840	wininit.exe	33
PID 2840 wrote to memory of 2676	2840	wininit.exe	33
PID 2840 wrote to memory of 2676	2840	wininit.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\3824f68042b243ff952a0184baaca8ede5c254821a8ec8e8be9fa86224ddbc55.exe
  "C:\Users\Admin\AppData\Local\Temp\3824f68042b243ff952a0184baaca8ede5c254821a8ec8e8be9fa86224ddbc55.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\kczbgk.exe
    C:\Users\Admin\AppData\Local\Temp\kczbgk.exe C:\Users\Admin\AppData\Local\Temp\izlci
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\kczbgk.exe
      C:\Users\Admin\AppData\Local\Temp\kczbgk.exe C:\Users\Admin\AppData\Local\Temp\izlci
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2944
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\kczbgk.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bq9us3yoko0kt

Filesize
211KB

MD5
0f791ef8faf6091b8669f3e5b2adbcd8

SHA1
e2bfa7ea56a168a47cc109eade62a8218b0b2270

SHA256
7f706d371f83e83437ae340a4242ee3af096f2ba5f22baa0a51be2dedb8a0eac

SHA512
ace9176527a9b0a93fe217395abbb695004271eb65581cb5175a6e662d7d0412dcafff0f68a5e127ba88f78cdf04f768b35ce73aa5d90fe032b1012eb82dd7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\izlci

Filesize
4KB

MD5
61c47d1e8fc4a14c3433e98be9607abc

SHA1
2d1a5e8ffb4845488ecf41926ef79c1a7fdfc025

SHA256
ab8e7743f47f6443df4a96f275ae101167e8a5bbf13b268db7181d43fd7fb5b3

SHA512
5a1c176f172800a49c8d16597b3516153707310b34c6220d79c1f06923ac0d2c2f3efc5586570d9001d86db1f31c281746a98a0200db4861439d680cc6890925

Download Submit
\Users\Admin\AppData\Local\Temp\kczbgk.exe

Filesize
177KB

MD5
0bf3e785b6a7a0c1ae07417cbf290121

SHA1
5cf19f555dc7ed6eefa74285e95ca7b396855793

SHA256
bd0b5a7be527aa878536fa7f40dcff283a51a7138109efaf2a44440b235a0ab5

SHA512
d83ab29b90b2f07d8125d5452a113ab43dffd88a423003e0a53d5937549ef7d04b4e994a8b2520637651d46080c98c8a3bea2916c1dccb42f6f97cf966ce81cb

Download Submit
memory/1188-23-0x0000000007200000-0x00000000073A0000-memory.dmp

Filesize
1.6MB

Download
memory/1188-29-0x0000000004B60000-0x0000000004C9F000-memory.dmp

Filesize
1.2MB

Download
memory/1188-18-0x00000000037B0000-0x00000000038B0000-memory.dmp

Filesize
1024KB

Download
memory/1188-19-0x0000000007200000-0x00000000073A0000-memory.dmp

Filesize
1.6MB

Download
memory/1188-24-0x0000000004B60000-0x0000000004C9F000-memory.dmp

Filesize
1.2MB

Download
memory/2820-9-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2840-28-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2840-27-0x0000000000840000-0x000000000085A000-memory.dmp

Filesize
104KB

Download
memory/2840-25-0x0000000000840000-0x000000000085A000-memory.dmp

Filesize
104KB

Download
memory/2944-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2944-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2944-22-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download
memory/2944-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2944-17-0x0000000000180000-0x0000000000191000-memory.dmp

Filesize
68KB

Download
memory/2944-14-0x00000000009E0000-0x0000000000CE3000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing