xloader | cfbd31c637b07ad4eb5dacd7def13210fd67cd05c112d7094f888e6508c8b88a

General

Target

Machineliste.exe
Size

1.3MB
MD5

5d81c58e9801b350c446bdd2575515f2
SHA1

e29e28781226c5d84b760fdc2cc57eaed8c5d6e3
SHA256

8bb6c5fd879114abac0f9f5812355de6974d0e02305b6dbfb57e72f90e0803a0
SHA512

1f0bd5464849217bae5c86c067f9e0cd7bb465752cf435fa4c00717be1c6251429c4eeee4706c9218b74af0c3c62350e352a03c4de93c85e7aca99013aebb78a
SSDEEP

12288:JMI4B31DdmhX2akBSgXxpmFT531tHaJiKx2iNPG9TXBxlm+LtKu1CMJR3zA5d0yt:2J71Y9TXBv3QuQcO5dzrulpu48YKE1q

Score

10^/10

xloader cg8q discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cg8q

Decoy

postmaniac.com

pordges.com

fritzsislandcampground.com

cekenlerticaret.com

karian.one

pubgcrafter.com

yeyasdeliciasmexicanas.com

replicraft.net

medlylab.com

matkubaj.com

albertsuckow.com

zhizhengsf.com

syntaxpath.com

bridgeparktennis.online

mindpregnancy.com

retirewithmj.biz

weenatter.com

salontafel.online

duinsnowk.quest

raapmanagement.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2852-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2852-17-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2852-21-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/232-28-0x0000000000DB0000-0x0000000000DD9000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1588 set thread context of 2852	1588	Machineliste.exe	100
PID 2852 set thread context of 3584	2852	Machineliste.exe	56
PID 2852 set thread context of 3584	2852	Machineliste.exe	56
PID 232 set thread context of 3584	232	colorcpl.exe	56

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	colorcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Machineliste.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
1588	Machineliste.exe
1588	Machineliste.exe
2852	Machineliste.exe
2852	Machineliste.exe
2852	Machineliste.exe
2852	Machineliste.exe
2852	Machineliste.exe
2852	Machineliste.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe
232	colorcpl.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2852	Machineliste.exe
2852	Machineliste.exe
2852	Machineliste.exe
2852	Machineliste.exe
232	colorcpl.exe
232	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	Machineliste.exe
Token: SeDebugPrivilege	2852	Machineliste.exe
Token: SeDebugPrivilege	232	colorcpl.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 2812	1588	Machineliste.exe	99
PID 1588 wrote to memory of 2812	1588	Machineliste.exe	99
PID 1588 wrote to memory of 2812	1588	Machineliste.exe	99
PID 1588 wrote to memory of 2852	1588	Machineliste.exe	100
PID 1588 wrote to memory of 2852	1588	Machineliste.exe	100
PID 1588 wrote to memory of 2852	1588	Machineliste.exe	100
PID 1588 wrote to memory of 2852	1588	Machineliste.exe	100
PID 1588 wrote to memory of 2852	1588	Machineliste.exe	100
PID 1588 wrote to memory of 2852	1588	Machineliste.exe	100
PID 3584 wrote to memory of 232	3584	Explorer.EXE	101
PID 3584 wrote to memory of 232	3584	Explorer.EXE	101
PID 3584 wrote to memory of 232	3584	Explorer.EXE	101
PID 232 wrote to memory of 1004	232	colorcpl.exe	102
PID 232 wrote to memory of 1004	232	colorcpl.exe	102
PID 232 wrote to memory of 1004	232	colorcpl.exe	102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Users\Admin\AppData\Local\Temp\Machineliste.exe
  "C:\Users\Admin\AppData\Local\Temp\Machineliste.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\Machineliste.exe
    "C:\Users\Admin\AppData\Local\Temp\Machineliste.exe"
    3⤵
    PID:2812
- - C:\Users\Admin\AppData\Local\Temp\Machineliste.exe
    "C:\Users\Admin\AppData\Local\Temp\Machineliste.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Machineliste.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/232-25-0x0000000000440000-0x0000000000459000-memory.dmp

Filesize
100KB

Download
memory/232-26-0x0000000000440000-0x0000000000459000-memory.dmp

Filesize
100KB

Download
memory/232-28-0x0000000000DB0000-0x0000000000DD9000-memory.dmp

Filesize
164KB

Download
memory/1588-4-0x0000000004DF0000-0x0000000004DFA000-memory.dmp

Filesize
40KB

Download
memory/1588-3-0x0000000004E70000-0x0000000004F02000-memory.dmp

Filesize
584KB

Download
memory/1588-5-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/1588-6-0x00000000050B0000-0x00000000050C2000-memory.dmp

Filesize
72KB

Download
memory/1588-7-0x00000000751AE000-0x00000000751AF000-memory.dmp

Filesize
4KB

Download
memory/1588-8-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/1588-9-0x00000000064B0000-0x000000000654C000-memory.dmp

Filesize
624KB

Download
memory/1588-10-0x0000000006AD0000-0x0000000006BC8000-memory.dmp

Filesize
992KB

Download
memory/1588-11-0x0000000006410000-0x0000000006440000-memory.dmp

Filesize
192KB

Download
memory/1588-2-0x0000000005420000-0x00000000059C4000-memory.dmp

Filesize
5.6MB

Download
memory/1588-14-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/1588-0-0x00000000751AE000-0x00000000751AF000-memory.dmp

Filesize
4KB

Download
memory/1588-1-0x0000000000290000-0x00000000003EA000-memory.dmp

Filesize
1.4MB

Download
memory/2852-15-0x0000000001AE0000-0x0000000001E2A000-memory.dmp

Filesize
3.3MB

Download
memory/2852-22-0x0000000001A70000-0x0000000001A81000-memory.dmp

Filesize
68KB

Download
memory/2852-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-18-0x00000000015F0000-0x0000000001601000-memory.dmp

Filesize
68KB

Download
memory/2852-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3584-19-0x0000000003030000-0x0000000003107000-memory.dmp

Filesize
860KB

Download
memory/3584-23-0x0000000008A20000-0x0000000008B47000-memory.dmp

Filesize
1.2MB

Download
memory/3584-24-0x0000000003030000-0x0000000003107000-memory.dmp

Filesize
860KB

Download
memory/3584-27-0x0000000008A20000-0x0000000008B47000-memory.dmp

Filesize
1.2MB

Download
memory/3584-31-0x0000000008B50000-0x0000000008C9C000-memory.dmp

Filesize
1.3MB

Download
memory/3584-33-0x0000000008B50000-0x0000000008C9C000-memory.dmp

Filesize
1.3MB

Download
memory/3584-34-0x0000000008B50000-0x0000000008C9C000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing