xloader | 3b67f83ca51ccbae0cf01f8d10083eade40c3e0c8ca70bab4d4bd958423b96b8

General

Target

$PLUGINSDIR/spgmjdph.dll
Size

93KB
MD5

0fbc559ab75e9cd8326de1b0aa075a8f
SHA1

ea1c07acf1913c487c18060380a71bfe18b72791
SHA256

bdf272998ebda2e91775e6a463ff01cfcf1cdbdbec3309bb61caaf1b5d28eec4
SHA512

72b83b58dc1ec3051557431b50b146784f43fcdb0d5c9f6bef7c9876d8455908f3c486be561567e71b2036fb13ad6739f713d4205b079a6c379b4306154ed1f6
SSDEEP

1536:j5ERZT7DoOkA0L0zM5oDB6HKbWyhe2FBbUfs9Cg5+l1OB:j5ERZTPoOkA0avBge55+l

Score

10^/10

xloader seqa discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

seqa

Decoy

alstartnpasumo5.xyz

jarvisbranding.com

kyiv-bdsm.club

hunttools.info

bantaleautomotiveengineers.com

comercioexpresschilpancingo.com

smallbusinessalliancegroup.com

swlawfirmok.com

marketciphermerch.com

gxmmvcn.icu

betwonsikayet.com

bise.tech

minismi2.com

bucklestylez.com

hereford-cattle.com

yufude.com

tangerineinit.com

destinyforfreedom.com

team-rwby-project.com

richardkmartinez.store

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral3/memory/2880-1-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral3/memory/2880-4-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral3/memory/2212-10-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2164 set thread context of 2880	2164	rundll32.exe	30
PID 2880 set thread context of 1196	2880	rundll32.exe	20
PID 2212 set thread context of 1196	2212	NAPSTAT.EXE	20

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NAPSTAT.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2880	rundll32.exe
2880	rundll32.exe
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2880	rundll32.exe
2880	rundll32.exe
2880	rundll32.exe
2212	NAPSTAT.EXE
2212	NAPSTAT.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	rundll32.exe
Token: SeDebugPrivilege	2212	NAPSTAT.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2164	2116	rundll32.exe	29
PID 2116 wrote to memory of 2164	2116	rundll32.exe	29
PID 2116 wrote to memory of 2164	2116	rundll32.exe	29
PID 2116 wrote to memory of 2164	2116	rundll32.exe	29
PID 2116 wrote to memory of 2164	2116	rundll32.exe	29
PID 2116 wrote to memory of 2164	2116	rundll32.exe	29
PID 2116 wrote to memory of 2164	2116	rundll32.exe	29
PID 2164 wrote to memory of 2880	2164	rundll32.exe	30
PID 2164 wrote to memory of 2880	2164	rundll32.exe	30
PID 2164 wrote to memory of 2880	2164	rundll32.exe	30
PID 2164 wrote to memory of 2880	2164	rundll32.exe	30
PID 2164 wrote to memory of 2880	2164	rundll32.exe	30
PID 2164 wrote to memory of 2880	2164	rundll32.exe	30
PID 2164 wrote to memory of 2880	2164	rundll32.exe	30
PID 2164 wrote to memory of 2880	2164	rundll32.exe	30
PID 2164 wrote to memory of 2880	2164	rundll32.exe	30
PID 2164 wrote to memory of 2880	2164	rundll32.exe	30
PID 1196 wrote to memory of 2212	1196	Explorer.EXE	31
PID 1196 wrote to memory of 2212	1196	Explorer.EXE	31
PID 1196 wrote to memory of 2212	1196	Explorer.EXE	31
PID 1196 wrote to memory of 2212	1196	Explorer.EXE	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\spgmjdph.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\spgmjdph.dll,#1
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\spgmjdph.dll,#1
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2880
- C:\Windows\SysWOW64\NAPSTAT.EXE
  "C:\Windows\SysWOW64\NAPSTAT.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-5-0x0000000003E10000-0x0000000003F10000-memory.dmp

Filesize
1024KB

Download
memory/1196-7-0x0000000002D60000-0x0000000002E83000-memory.dmp

Filesize
1.1MB

Download
memory/1196-11-0x0000000002D60000-0x0000000002E83000-memory.dmp

Filesize
1.1MB

Download
memory/2164-0-0x0000000074A95000-0x0000000074A97000-memory.dmp

Filesize
8KB

Download
memory/2212-8-0x0000000000540000-0x0000000000586000-memory.dmp

Filesize
280KB

Download
memory/2212-9-0x0000000000540000-0x0000000000586000-memory.dmp

Filesize
280KB

Download
memory/2212-10-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2880-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-2-0x00000000021E0000-0x00000000024E3000-memory.dmp

Filesize
3.0MB

Download
memory/2880-6-0x0000000000230000-0x0000000000241000-memory.dmp

Filesize
68KB

Download
memory/2880-4-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing