xloader | cfbd31c637b07ad4eb5dacd7def13210fd67cd05c112d7094f888e6508c8b88a

General

Target

Machineliste.exe
Size

1.3MB
MD5

5d81c58e9801b350c446bdd2575515f2
SHA1

e29e28781226c5d84b760fdc2cc57eaed8c5d6e3
SHA256

8bb6c5fd879114abac0f9f5812355de6974d0e02305b6dbfb57e72f90e0803a0
SHA512

1f0bd5464849217bae5c86c067f9e0cd7bb465752cf435fa4c00717be1c6251429c4eeee4706c9218b74af0c3c62350e352a03c4de93c85e7aca99013aebb78a
SSDEEP

12288:JMI4B31DdmhX2akBSgXxpmFT531tHaJiKx2iNPG9TXBxlm+LtKu1CMJR3zA5d0yt:2J71Y9TXBv3QuQcO5dzrulpu48YKE1q

Score

10^/10

xloader cg8q discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cg8q

Decoy

postmaniac.com

pordges.com

fritzsislandcampground.com

cekenlerticaret.com

karian.one

pubgcrafter.com

yeyasdeliciasmexicanas.com

replicraft.net

medlylab.com

matkubaj.com

albertsuckow.com

zhizhengsf.com

syntaxpath.com

bridgeparktennis.online

mindpregnancy.com

retirewithmj.biz

weenatter.com

salontafel.online

duinsnowk.quest

raapmanagement.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2972-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2432 set thread context of 2972	2432	Machineliste.exe	32

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2748	2972	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Machineliste.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Machineliste.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2432	Machineliste.exe
2432	Machineliste.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	Machineliste.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2892	2432	Machineliste.exe	31
PID 2432 wrote to memory of 2892	2432	Machineliste.exe	31
PID 2432 wrote to memory of 2892	2432	Machineliste.exe	31
PID 2432 wrote to memory of 2892	2432	Machineliste.exe	31
PID 2432 wrote to memory of 2972	2432	Machineliste.exe	32
PID 2432 wrote to memory of 2972	2432	Machineliste.exe	32
PID 2432 wrote to memory of 2972	2432	Machineliste.exe	32
PID 2432 wrote to memory of 2972	2432	Machineliste.exe	32
PID 2432 wrote to memory of 2972	2432	Machineliste.exe	32
PID 2432 wrote to memory of 2972	2432	Machineliste.exe	32
PID 2432 wrote to memory of 2972	2432	Machineliste.exe	32
PID 2972 wrote to memory of 2748	2972	Machineliste.exe	33
PID 2972 wrote to memory of 2748	2972	Machineliste.exe	33
PID 2972 wrote to memory of 2748	2972	Machineliste.exe	33
PID 2972 wrote to memory of 2748	2972	Machineliste.exe	33

C:\Users\Admin\AppData\Local\Temp\Machineliste.exe
"C:\Users\Admin\AppData\Local\Temp\Machineliste.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\Machineliste.exe
  "C:\Users\Admin\AppData\Local\Temp\Machineliste.exe"
  2⤵
  PID:2892
- C:\Users\Admin\AppData\Local\Temp\Machineliste.exe
  "C:\Users\Admin\AppData\Local\Temp\Machineliste.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 36
    3⤵
    - Program crash
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2432-6-0x0000000005D10000-0x0000000005E08000-memory.dmp

Filesize
992KB

Download
memory/2432-1-0x0000000000010000-0x000000000016A000-memory.dmp

Filesize
1.4MB

Download
memory/2432-2-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2432-3-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/2432-4-0x000000007436E000-0x000000007436F000-memory.dmp

Filesize
4KB

Download
memory/2432-5-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2432-0-0x000000007436E000-0x000000007436F000-memory.dmp

Filesize
4KB

Download
memory/2432-7-0x0000000002100000-0x0000000002130000-memory.dmp

Filesize
192KB

Download
memory/2432-14-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2972-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2972-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2972-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2972-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing