xloader | 61cdea2c20945e04f08a759377c43287fed1e3bc2a8896f605dcf66114cdf9eb

Sharing

Copy URL

Twitter E-mail

General

Target

61cdea2c20945e04f08a759377c43287fed1e3bc2a8896f605dcf66114cdf9eb
Size

152KB
MD5

df1b4eb229123d1c559a758a739e109f
SHA1

4326d0dc3b170597459210b3e755c19b8cbf5dfe
SHA256

61cdea2c20945e04f08a759377c43287fed1e3bc2a8896f605dcf66114cdf9eb
SHA512

9304b51c2b997b4088983a7bc65af5f8d3c2d98a61dc9b7f95100c6504b654a752205093d1ed6a0a56381479ced78b4a26b59ea35dec24add55beb51df160ea2
SSDEEP

3072:INqrJTezYnHrnDLlsjNAutGdFeLVmFVak8djZIb8am/Iol5aHs:ISc4blMNZtGOViVaJ9uCaM

Score

10^/10

rat m664 xloader

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

m664

Decoy

theorganisedweddingcompany.com

rugsnz.site

tlcpetsitting-ak.com

sicherheit-solutions.com

yourmillennialinsider.com

planesnissanargentina.com

pinkrose210.com

contact-fip.com

upward-housing.com

digitalmktgservices.com

sabaibakery.com

qtpelearn.com

baldofvizcondephotography.com

canadadigitalnews.com

toyboxwino.com

losangelesdanceclasses.com

donjon2944.com

northernirelandmusictherapy.com

accmix.com

flimty-sicilystore.com

Signatures

Xloader family
xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
static1/unpack001/msiexec_dump.exe	xloader

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/msiexec_dump.exe

Files

61cdea2c20945e04f08a759377c43287fed1e3bc2a8896f605dcf66114cdf9eb
.zip

Password: infected
msiexec_dump.exe
.exe windows:6 windows x86 arch:x86

d978d78f24d00067ae727581cca0b391

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

RegOpenKeyExW
RegCreateKeyExW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
OpenThreadToken
FreeSid
GetLengthSid
AllocateAndInitializeSid
DeregisterEventSource
ReportEventW
RegisterEventSourceW
MakeSelfRelativeSD
GetSecurityDescriptorLength
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
GetAce
AddAccessAllowedAce
InitializeAcl
RegCloseKey
RegSetValueExW
RegDeleteKeyW
RegQueryValueExW
RegDeleteValueW
RegEnumKeyW
CloseServiceHandle
CreateServiceW
OpenSCManagerW
SetThreadToken
DeleteService
QueryServiceStatus
ControlService
OpenServiceW
RegEnumKeyExW
SetServiceStatus
RegisterServiceCtrlHandlerW
EqualSid
GetSecurityDescriptorOwner
RegGetKeySecurity
MakeAbsoluteSD
GetTokenInformation
RevertToSelf
StartServiceCtrlDispatcherW

kernel32

lstrlenW
lstrcmpiW
CloseHandle
InterlockedExchange
GetCurrentProcess
GetLastError
GetCurrentThread
Sleep
GetVersionExW
GetEnvironmentVariableW
InitializeCriticalSection
DeleteCriticalSection
GetProcAddress
LoadLibraryW
MultiByteToWideChar
WideCharToMultiByte
SetLastError
GlobalAlloc
GlobalFree
FreeLibrary
UnhandledExceptionFilter
GetVersion
GetModuleHandleW
WaitForSingleObject
CreateProcessW
GetModuleFileNameW
InterlockedDecrement
InterlockedIncrement
lstrcmpW
FormatMessageW
GetSystemDefaultLangID
LoadLibraryExW
SetCurrentDirectoryW
OutputDebugStringW
WriteFile
GetLocaleInfoW
GetACP
LeaveCriticalSection
EnterCriticalSection
OpenProcess
CreateEventW
OpenEventW
CompareStringW
GetFileType
GetStdHandle
GetCommandLineW
ExitProcess
SetEvent
SetConsoleCtrlHandler
CreateThread
GetSystemDirectoryW
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
GetModuleHandleA
TerminateProcess
SetUnhandledExceptionFilter
GetStartupInfoA
InterlockedCompareExchange

user32

MsgWaitForMultipleObjects
IsCharAlphaNumericW
GetMessageW
PeekMessageW
DispatchMessageW
TranslateMessage
PostQuitMessage
PostThreadMessageW

msvcrt

_acmdln
_initterm
_amsg_exit
__setusermatherr
__p__commode
__p__fmode
__set_app_type
_unlock
__dllonexit
_lock
_onexit
?terminate@@YAXXZ
_controlfp
exit
_ismbblead
_XcptFilter
_exit
_cexit
__getmainargs
_vsnprintf
_vsnwprintf
_wcsicmp
memcpy
memset
wcsrchr

ntdll

RtlNtStatusToDosError
RtlUnwind
NtQueryInformationProcess

ole32

CoInitialize
CoRevokeClassObject
CoRegisterClassObject
StgOpenStorage
CoUninitialize

msi

ord141
ord70
ord190
ord280
ord197
ord228
ord136
ord169
ord78
ord148
ord8
ord88
ord199
ord131
ord184
ord175
ord240
ord222
ord196

Sections

.text
Size: 52KB - Virtual size: 52KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

NULL
Size: - Virtual size: 432KB

IMAGE_SCN_MEM_DISCARDABLE

Size: 164KB - Virtual size: 164KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

d978d78f24d00067ae727581cca0b391

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

user32

msvcrt

ntdll

ole32

msi

Sections

.text Size: 52KB - Virtual size: 52KB

.data Size: 12KB - Virtual size: 12KB

.rsrc Size: 8KB - Virtual size: 8KB

.reloc Size: 4KB - Virtual size: 4KB

NULL Size: - Virtual size: 432KB

Size: 164KB - Virtual size: 164KB

.text
Size: 52KB - Virtual size: 52KB

.data
Size: 12KB - Virtual size: 12KB

.rsrc
Size: 8KB - Virtual size: 8KB

.reloc
Size: 4KB - Virtual size: 4KB

NULL
Size: - Virtual size: 432KB