xloader | 266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74

General

Target

266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe
Size

417KB
MD5

561b2242c36b5599a5c4e25a3322534e
SHA1

fb5a634c77d7f6346ea7d0c3860c3f5a0781618e
SHA256

266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74
SHA512

fa961bf85f2c4f9018ba5dedbd80c1ba4d9de7fd4e79fb2cdf794deb7eb8384e9d56d5cfdf68c552975d5c3594bb22784bce3b846eb98faf4082b02bdd2ed309
SSDEEP

12288:Awhxe47sMXuMCIy04qtaOhv+AlicO/xI/SbVJ50D805VU:Aw3H7drCI4qtaK+Ali9e/SxJ502

Score

10^/10

xloader wogm discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

wogm

Decoy

sub-dude.net

repeatcustom.com

goodspaz.com

sinagropuree.com

jyh8886.com

muescabynes.quest

stark.agency

nolimit168.com

hypermediastore.com

arab-xt-pro.com

gruppovimar.com

santamariamoto.express

affaridistribuciones.com

straetah.com

collectionsbyvivi.com

nalainteriores.com

weeklywars.com

insightmyhome.com

ucml.net

herderguru.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2076-11-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2380 set thread context of 2076	2380	266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe	99

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2380	266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe
2380	266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe
2076	266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe
2076	266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3828	2380	266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe	98
PID 2380 wrote to memory of 3828	2380	266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe	98
PID 2380 wrote to memory of 3828	2380	266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe	98
PID 2380 wrote to memory of 2076	2380	266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe	99
PID 2380 wrote to memory of 2076	2380	266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe	99
PID 2380 wrote to memory of 2076	2380	266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe	99
PID 2380 wrote to memory of 2076	2380	266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe	99
PID 2380 wrote to memory of 2076	2380	266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe	99
PID 2380 wrote to memory of 2076	2380	266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe	99

C:\Users\Admin\AppData\Local\Temp\266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe
"C:\Users\Admin\AppData\Local\Temp\266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe
  "C:\Users\Admin\AppData\Local\Temp\266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe"
  2⤵
  PID:3828
- C:\Users\Admin\AppData\Local\Temp\266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe
  "C:\Users\Admin\AppData\Local\Temp\266a42301d52352d24b59aa618d582afac1c2f27a5ab66e6e26a42314b5f4f74.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2076-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2076-14-0x00000000015F0000-0x000000000193A000-memory.dmp

Filesize
3.3MB

Download
memory/2380-6-0x0000000007120000-0x000000000712E000-memory.dmp

Filesize
56KB

Download
memory/2380-3-0x0000000007140000-0x00000000071D2000-memory.dmp

Filesize
584KB

Download
memory/2380-4-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2380-5-0x0000000004730000-0x000000000473A000-memory.dmp

Filesize
40KB

Download
memory/2380-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/2380-7-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/2380-8-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2380-9-0x0000000008740000-0x00000000087DC000-memory.dmp

Filesize
624KB

Download
memory/2380-10-0x0000000009AB0000-0x0000000009B02000-memory.dmp

Filesize
328KB

Download
memory/2380-2-0x0000000007610000-0x0000000007BB4000-memory.dmp

Filesize
5.6MB

Download
memory/2380-13-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2380-1-0x00000000002E0000-0x000000000034E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing