xloader | 7e5ba666475aac3d9c115cd4d791172d5189ebe444c8f4bdbe0575e570d45075

General

Target

Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
Size

1.2MB
MD5

1e956cce584ed3910b0914ed03c5b396
SHA1

c8e5c8f09696b8d5c81ed979a5eba7066eba5305
SHA256

0c79a0b34b24ef2f69bb07586863afa5d3631398f79b895390ec2beddaa4fb78
SHA512

47196bae5faebcb994d690651d7ce91ae35482f24c42ebd290b681dd5f60dda421368c20bd849d81d5f8c6e882ef084d3ed5c3ed118d1f7133a23e3cd7e66b3f
SSDEEP

24576:J6QP6K2CngiZucOaCrYz4jEmW/g+xRri3Md+clMr+b1E43:tPb2CgcyrKmW/PHi3Hrqv

Score

10^/10

xloader eao discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

eao

Decoy

littletram.com

vanmetaal.com

clubbingspringbreak.com

intohuman.com

steph.place

ipsumksa.com

paultoon.com

wocwebowecbweogw.com

beverlyhillsmerch.com

vans-athens.com

stylishnailsbyem.com

milletvit.com

pappyjacksburgershack.com

anal-liza.com

lotownerbuilders.com

caffinatics.com

cvbtrading.co.uk

pheasanttrailsgolfcourse.com

wed0888.com

sundeepm.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/2768-12-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/2768-17-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/2768-21-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4992 set thread context of 2768	4992	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	100
PID 2768 set thread context of 3540	2768	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	56
PID 2768 set thread context of 3540	2768	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	56
PID 4940 set thread context of 3540	4940	cmstp.exe	56

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4992	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
4992	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
4992	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
4992	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
4992	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
4992	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2768	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2768	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2768	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2768	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2768	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2768	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe
4940	cmstp.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2768	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2768	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2768	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2768	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
4940	cmstp.exe
4940	cmstp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4992	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
Token: SeDebugPrivilege	2768	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
Token: SeDebugPrivilege	4940	cmstp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 2768	4992	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	100
PID 4992 wrote to memory of 2768	4992	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	100
PID 4992 wrote to memory of 2768	4992	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	100
PID 4992 wrote to memory of 2768	4992	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	100
PID 4992 wrote to memory of 2768	4992	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	100
PID 4992 wrote to memory of 2768	4992	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	100
PID 3540 wrote to memory of 4940	3540	Explorer.EXE	101
PID 3540 wrote to memory of 4940	3540	Explorer.EXE	101
PID 3540 wrote to memory of 4940	3540	Explorer.EXE	101
PID 4940 wrote to memory of 2228	4940	cmstp.exe	103
PID 4940 wrote to memory of 2228	4940	cmstp.exe	103
PID 4940 wrote to memory of 2228	4940	cmstp.exe	103

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\AppData\Local\Temp\Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2768-21-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2768-18-0x0000000000EB0000-0x0000000000EC1000-memory.dmp

Filesize
68KB

Download
memory/2768-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2768-15-0x0000000001340000-0x000000000168A000-memory.dmp

Filesize
3.3MB

Download
memory/2768-22-0x0000000001310000-0x0000000001321000-memory.dmp

Filesize
68KB

Download
memory/2768-17-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3540-32-0x0000000008960000-0x0000000008AE1000-memory.dmp

Filesize
1.5MB

Download
memory/3540-24-0x0000000002D20000-0x0000000002E81000-memory.dmp

Filesize
1.4MB

Download
memory/3540-30-0x0000000008960000-0x0000000008AE1000-memory.dmp

Filesize
1.5MB

Download
memory/3540-27-0x0000000004590000-0x0000000004648000-memory.dmp

Filesize
736KB

Download
memory/3540-23-0x0000000004590000-0x0000000004648000-memory.dmp

Filesize
736KB

Download
memory/3540-19-0x0000000002D20000-0x0000000002E81000-memory.dmp

Filesize
1.4MB

Download
memory/4940-25-0x0000000000520000-0x0000000000536000-memory.dmp

Filesize
88KB

Download
memory/4940-26-0x0000000000520000-0x0000000000536000-memory.dmp

Filesize
88KB

Download
memory/4992-2-0x0000000005430000-0x00000000059D4000-memory.dmp

Filesize
5.6MB

Download
memory/4992-7-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/4992-5-0x0000000004EA0000-0x0000000004EAA000-memory.dmp

Filesize
40KB

Download
memory/4992-11-0x0000000008C10000-0x0000000008C50000-memory.dmp

Filesize
256KB

Download
memory/4992-0-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/4992-1-0x0000000000010000-0x000000000014E000-memory.dmp

Filesize
1.2MB

Download
memory/4992-10-0x00000000065F0000-0x0000000006648000-memory.dmp

Filesize
352KB

Download
memory/4992-3-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/4992-6-0x0000000006550000-0x00000000065EC000-memory.dmp

Filesize
624KB

Download
memory/4992-4-0x0000000004F20000-0x0000000004FB2000-memory.dmp

Filesize
584KB

Download
memory/4992-9-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/4992-8-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/4992-14-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing