xloader | c7e8dc0d874686bc3b1b7cd9e1bfb68b84a715589fd55a51b708a3aa3b484586

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INV#94049.exe
Size

624KB
MD5

11b99a9ebfbd6815ea25e451aaadb5c2
SHA1

300ebe536afb18ab95386c59b569da3a3ac39bfa
SHA256

79f465b8846c4bd2865defb9a608d2ca089f94352abd3c765558f6ecfcbd5555
SHA512

433152236bbbc7267c9ad3abdb577dda11007f866d690361cecd8d55d24f3f88ca0635fa11f0ac498b4ed81ddd032864de10d89383fa53a6d6cf16c89636acf5
SSDEEP

12288:l3H2iNLBD7hYI1o4rb8t5S3PRgkFOi6b0:ZH1/eqbo

Score

10^/10

xloader fo8q discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

fo8q

Decoy

idesignbymadelinefl.com

finleygoods.com

hfxyyq.com

jjhh9656.com

superstarcoding.com

synergybridges.com

fantom.art

zebramovie.com

keephimmine.com

cmbego.com

shreegurudattaenterprises.com

appcoinsupport.services

roysecitystorage.com

gentlemensstories.com

hubinternationalinnovation.com

letscleartheairnow.com

strueyouneedto.space

schoolofsevens.com

cannaonline.net

slimmersite.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2500-11-0x0000000008F20000-0x0000000008F49000-memory.dmp	xloader
behavioral2/memory/1032-17-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1032-21-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4764-27-0x0000000000760000-0x0000000000789000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2500 set thread context of 1032	2500	INV#94049.exe	92
PID 1032 set thread context of 3488	1032	INV#94049.exe	56
PID 1032 set thread context of 3488	1032	INV#94049.exe	56
PID 4764 set thread context of 3488	4764	systray.exe	56

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INV#94049.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2500	INV#94049.exe
2500	INV#94049.exe
2500	INV#94049.exe
2500	INV#94049.exe
1032	INV#94049.exe
1032	INV#94049.exe
1032	INV#94049.exe
1032	INV#94049.exe
1032	INV#94049.exe
1032	INV#94049.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe
4764	systray.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1032	INV#94049.exe
1032	INV#94049.exe
1032	INV#94049.exe
1032	INV#94049.exe
4764	systray.exe
4764	systray.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	INV#94049.exe
Token: SeDebugPrivilege	1032	INV#94049.exe
Token: SeDebugPrivilege	4764	systray.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 4152	2500	INV#94049.exe	90
PID 2500 wrote to memory of 4152	2500	INV#94049.exe	90
PID 2500 wrote to memory of 4152	2500	INV#94049.exe	90
PID 2500 wrote to memory of 1980	2500	INV#94049.exe	91
PID 2500 wrote to memory of 1980	2500	INV#94049.exe	91
PID 2500 wrote to memory of 1980	2500	INV#94049.exe	91
PID 2500 wrote to memory of 1032	2500	INV#94049.exe	92
PID 2500 wrote to memory of 1032	2500	INV#94049.exe	92
PID 2500 wrote to memory of 1032	2500	INV#94049.exe	92
PID 2500 wrote to memory of 1032	2500	INV#94049.exe	92
PID 2500 wrote to memory of 1032	2500	INV#94049.exe	92
PID 2500 wrote to memory of 1032	2500	INV#94049.exe	92
PID 3488 wrote to memory of 4764	3488	Explorer.EXE	94
PID 3488 wrote to memory of 4764	3488	Explorer.EXE	94
PID 3488 wrote to memory of 4764	3488	Explorer.EXE	94
PID 4764 wrote to memory of 3368	4764	systray.exe	95
PID 4764 wrote to memory of 3368	4764	systray.exe	95
PID 4764 wrote to memory of 3368	4764	systray.exe	95

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Users\Admin\AppData\Local\Temp\INV#94049.exe
  "C:\Users\Admin\AppData\Local\Temp\INV#94049.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Users\Admin\AppData\Local\Temp\INV#94049.exe
    "C:\Users\Admin\AppData\Local\Temp\INV#94049.exe"
    3⤵
    PID:4152
- - C:\Users\Admin\AppData\Local\Temp\INV#94049.exe
    "C:\Users\Admin\AppData\Local\Temp\INV#94049.exe"
    3⤵
    PID:1980
- - C:\Users\Admin\AppData\Local\Temp\INV#94049.exe
    "C:\Users\Admin\AppData\Local\Temp\INV#94049.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1032
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\INV#94049.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1032-15-0x0000000001560000-0x00000000018AA000-memory.dmp

Filesize
3.3MB

Download
memory/1032-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1032-22-0x00000000032D0000-0x00000000032E1000-memory.dmp

Filesize
68KB

Download
memory/1032-18-0x0000000001410000-0x0000000001421000-memory.dmp

Filesize
68KB

Download
memory/1032-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2500-6-0x0000000007250000-0x000000000725C000-memory.dmp

Filesize
48KB

Download
memory/2500-1-0x0000000000220000-0x00000000002C2000-memory.dmp

Filesize
648KB

Download
memory/2500-7-0x000000007515E000-0x000000007515F000-memory.dmp

Filesize
4KB

Download
memory/2500-8-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/2500-9-0x0000000008DE0000-0x0000000008E7C000-memory.dmp

Filesize
624KB

Download
memory/2500-10-0x0000000008ED0000-0x0000000008F1E000-memory.dmp

Filesize
312KB

Download
memory/2500-11-0x0000000008F20000-0x0000000008F49000-memory.dmp

Filesize
164KB

Download
memory/2500-14-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/2500-5-0x00000000045A0000-0x00000000045AA000-memory.dmp

Filesize
40KB

Download
memory/2500-4-0x0000000075150000-0x0000000075900000-memory.dmp

Filesize
7.7MB

Download
memory/2500-3-0x0000000007040000-0x00000000070D2000-memory.dmp

Filesize
584KB

Download
memory/2500-0-0x000000007515E000-0x000000007515F000-memory.dmp

Filesize
4KB

Download
memory/2500-2-0x0000000007550000-0x0000000007AF4000-memory.dmp

Filesize
5.6MB

Download
memory/3488-19-0x0000000008F10000-0x0000000009084000-memory.dmp

Filesize
1.5MB

Download
memory/3488-23-0x0000000003060000-0x000000000311F000-memory.dmp

Filesize
764KB

Download
memory/3488-24-0x0000000008F10000-0x0000000009084000-memory.dmp

Filesize
1.5MB

Download
memory/3488-28-0x0000000003060000-0x000000000311F000-memory.dmp

Filesize
764KB

Download
memory/3488-31-0x00000000089B0000-0x0000000008A61000-memory.dmp

Filesize
708KB

Download
memory/3488-33-0x00000000089B0000-0x0000000008A61000-memory.dmp

Filesize
708KB

Download
memory/4764-26-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/4764-25-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/4764-27-0x0000000000760000-0x0000000000789000-memory.dmp

Filesize
164KB

Download