xloader | b249ae01115f9dd1e29855b35215d33b516bda11f4c32270478ba0cd7392fef5

General

Target

0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984.exe
Size

1.5MB
MD5

b7a26e637aa3bd7fba1c3e95531f6cdc
SHA1

dfe13564e422386ec2fcef7ad4ecf3903b581fb7
SHA256

0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984
SHA512

99dbd6b31d94d6dc6df31e3f3f7ceb8b344b662a1add4db03c99a68ecb89a55fb0178e9270e1ece88675a87113369e792cea46e6fc722d4b17c67c9b4a062ddf
SSDEEP

49152:z8W5UWOfuGqMhPwo9F7A/BB8LRBFrXWqKzKzgNR5u:zD57OfuGqMhPwofA/BB8LRBF7fOR

Score

10^/10

xloader q44r discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

q44r

Decoy

mauricenorthmore.com

9nahvj2e-666.com

vkfrr.com

lowendtherapy.com

breizh-charente-maritime.com

academydocprep.com

scampifoods.com

afamnite.com

southeasternsteakcompany.com

rokos-capital.net

gofargo-together.com

zbytlt.com

rline-official.com

ibusier.net

protectedmaintenance.com

proxrem.com

microsemiportal.com

fpvvoleibolmenores.com

creativegrowthllc.com

godslineaccelerated.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4380-14-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2344 set thread context of 4380	2344	0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984.exe	91

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2344	0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984.exe
2344	0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984.exe
2344	0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984.exe
2344	0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984.exe
4380	0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984.exe
4380	0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 4380	2344	0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984.exe	91
PID 2344 wrote to memory of 4380	2344	0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984.exe	91
PID 2344 wrote to memory of 4380	2344	0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984.exe	91
PID 2344 wrote to memory of 4380	2344	0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984.exe	91
PID 2344 wrote to memory of 4380	2344	0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984.exe	91
PID 2344 wrote to memory of 4380	2344	0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984.exe	91

C:\Users\Admin\AppData\Local\Temp\0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984.exe
"C:\Users\Admin\AppData\Local\Temp\0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984.exe
  "C:\Users\Admin\AppData\Local\Temp\0dd0a3dfcbf4b14b487264645dae24d1b9fa04d2c906ca1767c93b49ad2cb984.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2344-8-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/2344-4-0x0000000004CF0000-0x0000000004D82000-memory.dmp

Filesize
584KB

Download
memory/2344-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/2344-3-0x00000000052A0000-0x0000000005844000-memory.dmp

Filesize
5.6MB

Download
memory/2344-9-0x0000000007D20000-0x0000000007D2C000-memory.dmp

Filesize
48KB

Download
memory/2344-5-0x0000000004C90000-0x0000000004C9A000-memory.dmp

Filesize
40KB

Download
memory/2344-6-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/2344-10-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/2344-2-0x0000000004BA0000-0x0000000004C3C000-memory.dmp

Filesize
624KB

Download
memory/2344-1-0x00000000001B0000-0x000000000033A000-memory.dmp

Filesize
1.5MB

Download
memory/2344-7-0x0000000004EF0000-0x0000000004F46000-memory.dmp

Filesize
344KB

Download
memory/2344-11-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/2344-12-0x0000000000AB0000-0x0000000000B28000-memory.dmp

Filesize
480KB

Download
memory/2344-13-0x0000000000B80000-0x0000000000BB2000-memory.dmp

Filesize
200KB

Download
memory/2344-16-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/4380-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4380-17-0x00000000018B0000-0x0000000001BFA000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing