xloader | 031527224e74b82bf16e639c666134674ecc8a6e648fed2f68255617bd6a3b18

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

USD $.exe
Size

1.0MB
MD5

7098068c07032900ff073b55a8ad8e0b
SHA1

5bdda0bc06b935689f29d55b297d0523d82c6bfa
SHA256

2d7aac32ea8a8329262ead70ec2f030c1a4061e4edafdf03e605bb9ce606836e
SHA512

c5568a37cd6cfa600af5742acd1143d434035e2b5d7caa515ccbf182c6f72030e28a3562ee9f5e9341bcc5aeef45f498434fb8ff6835bc07c04220440d0aaf39
SSDEEP

12288:WA72Z5kzykTvNYf3ACtYKWBAZcQEuanCJ4ZTuWnCT2EypSTU0KfOgzUhr2X0GSGl:WAaZ5k7TvqfwCqiZ9149O21FCWZ

Score

10^/10

xloader weni discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

weni

Decoy

sdmdwang.com

konversationswithkoshie.net

carap.club

eagldeream.com

856380585.xyz

elgallocoffee.com

magetu.info

lovertons.com

theichallenge.com

advancedautorepairsonline.com

wingsstyling.info

tapdaugusta.com

wiloasbanhsgtarewdasc.solutions

donjrisdumb.com

experienceddoctor.com

cloverhillconsultants.com

underwear.show

karensgonewild2020.com

arodsr.com

thefucktardmanual.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral31/memory/336-12-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral31/memory/336-16-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral31/memory/336-21-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral31/memory/2860-28-0x0000000001000000-0x0000000001028000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3696 set thread context of 336	3696	USD $.exe	93
PID 336 set thread context of 3488	336	RegSvcs.exe	56
PID 336 set thread context of 3488	336	RegSvcs.exe	56
PID 2860 set thread context of 3488	2860	msdt.exe	56

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USD $.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
3696	USD $.exe
336	RegSvcs.exe
336	RegSvcs.exe
336	RegSvcs.exe
336	RegSvcs.exe
336	RegSvcs.exe
336	RegSvcs.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe
2860	msdt.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
336	RegSvcs.exe
336	RegSvcs.exe
336	RegSvcs.exe
336	RegSvcs.exe
2860	msdt.exe
2860	msdt.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3696	USD $.exe
Token: SeDebugPrivilege	336	RegSvcs.exe
Token: SeShutdownPrivilege	3488	Explorer.EXE
Token: SeCreatePagefilePrivilege	3488	Explorer.EXE
Token: SeShutdownPrivilege	3488	Explorer.EXE
Token: SeCreatePagefilePrivilege	3488	Explorer.EXE
Token: SeDebugPrivilege	2860	msdt.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 336	3696	USD $.exe	93
PID 3696 wrote to memory of 336	3696	USD $.exe	93
PID 3696 wrote to memory of 336	3696	USD $.exe	93
PID 3696 wrote to memory of 336	3696	USD $.exe	93
PID 3696 wrote to memory of 336	3696	USD $.exe	93
PID 3696 wrote to memory of 336	3696	USD $.exe	93
PID 336 wrote to memory of 2860	336	RegSvcs.exe	102
PID 336 wrote to memory of 2860	336	RegSvcs.exe	102
PID 336 wrote to memory of 2860	336	RegSvcs.exe	102
PID 2860 wrote to memory of 4432	2860	msdt.exe	103
PID 2860 wrote to memory of 4432	2860	msdt.exe	103
PID 2860 wrote to memory of 4432	2860	msdt.exe	103

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3488
- C:\Users\Admin\AppData\Local\Temp\USD $.exe
  "C:\Users\Admin\AppData\Local\Temp\USD $.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:336
  - - C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4432
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2600
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:3228
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2040
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:3936
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4536
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4224
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4740
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/336-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/336-21-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/336-22-0x0000000001110000-0x0000000001120000-memory.dmp

Filesize
64KB

Download
memory/336-16-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/336-17-0x00000000010B0000-0x00000000010C0000-memory.dmp

Filesize
64KB

Download
memory/336-14-0x00000000015B0000-0x00000000018FA000-memory.dmp

Filesize
3.3MB

Download
memory/2860-28-0x0000000001000000-0x0000000001028000-memory.dmp

Filesize
160KB

Download
memory/2860-26-0x00000000009D0000-0x0000000000A27000-memory.dmp

Filesize
348KB

Download
memory/2860-25-0x00000000009D0000-0x0000000000A27000-memory.dmp

Filesize
348KB

Download
memory/3488-24-0x0000000002750000-0x0000000002829000-memory.dmp

Filesize
868KB

Download
memory/3488-18-0x0000000002750000-0x0000000002829000-memory.dmp

Filesize
868KB

Download
memory/3488-34-0x0000000002DF0000-0x0000000002EAA000-memory.dmp

Filesize
744KB

Download
memory/3488-32-0x0000000002DF0000-0x0000000002EAA000-memory.dmp

Filesize
744KB

Download
memory/3488-31-0x0000000002DF0000-0x0000000002EAA000-memory.dmp

Filesize
744KB

Download
memory/3488-27-0x0000000008150000-0x0000000008280000-memory.dmp

Filesize
1.2MB

Download
memory/3488-23-0x0000000008150000-0x0000000008280000-memory.dmp

Filesize
1.2MB

Download
memory/3696-5-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/3696-19-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/3696-10-0x00000000052A0000-0x000000000532C000-memory.dmp

Filesize
560KB

Download
memory/3696-4-0x00000000047F0000-0x00000000047FA000-memory.dmp

Filesize
40KB

Download
memory/3696-6-0x0000000004EC0000-0x0000000004F5C000-memory.dmp

Filesize
624KB

Download
memory/3696-0-0x000000007499E000-0x000000007499F000-memory.dmp

Filesize
4KB

Download
memory/3696-3-0x0000000007240000-0x00000000072D2000-memory.dmp

Filesize
584KB

Download
memory/3696-2-0x0000000007750000-0x0000000007CF4000-memory.dmp

Filesize
5.6MB

Download
memory/3696-7-0x0000000004E30000-0x0000000004E38000-memory.dmp

Filesize
32KB

Download
memory/3696-1-0x0000000000200000-0x0000000000306000-memory.dmp

Filesize
1.0MB

Download
memory/3696-8-0x000000007499E000-0x000000007499F000-memory.dmp

Filesize
4KB

Download
memory/3696-9-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/3696-11-0x0000000004DD0000-0x0000000004E0A000-memory.dmp

Filesize
232KB

Download