xloader | 7ca0acdc3e8b24c2034b2205dbfdf744c903cae7c88b1d09b529991168c05dca

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Advice for Outstanding Invoices (2).exe
Size

621KB
MD5

2a2d3e7c62d3b3a9e9ef3565f04a2dc5
SHA1

e4829cc9645d8c2a26929d2f132cf6d0f358a988
SHA256

c435fcfb3786d573ede77e30ded01503640a4de64523df7e9078cfc572381ced
SHA512

0226f28426976c5bd064caabea3645062a99e1b1e99e79e4d518c783e208b299534ea9a4d1180bc43651fb1b65f72440382910b7ddf30e57ee4b8c9c9a732871
SSDEEP

12288:7Zbr8K777777777777TkNdgOG0IzkXh7aolFyiSu61xdEJXouOo0XSLEdigeAaui:7F8K777777777777TiP8EFhmoMst

Score

10^/10

xloader nqni discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nqni

Decoy

lekitaly.com

heroteas.com

funtique.art

cedarmoonshop.com

greenozon.com

jonescompanysolutions.com

pdxls.com

icreateandcut.com

healthylifeagainnow.com

zhongxinzxpz.top

hotelsaskatchewan.info

louisebeckinsale.net

hivizpeople.com

sanjoseejidillo.com

turnspout.net

suddennnnnnnnnnnn02.xyz

annianzu.icu

webdesigncharlestonsc.com

headrank.agency

bradyiconmusiccenter.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral28/memory/2360-17-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral28/memory/2360-21-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral28/memory/2720-26-0x00000000000F0000-0x0000000000119000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2308 set thread context of 2360	2308	Payment Advice for Outstanding Invoices (2).exe	33
PID 2360 set thread context of 1224	2360	Payment Advice for Outstanding Invoices (2).exe	21
PID 2720 set thread context of 1224	2720	cmstp.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment Advice for Outstanding Invoices (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2308	Payment Advice for Outstanding Invoices (2).exe
2360	Payment Advice for Outstanding Invoices (2).exe
2360	Payment Advice for Outstanding Invoices (2).exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe
2720	cmstp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2360	Payment Advice for Outstanding Invoices (2).exe
2360	Payment Advice for Outstanding Invoices (2).exe
2360	Payment Advice for Outstanding Invoices (2).exe
2720	cmstp.exe
2720	cmstp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	Payment Advice for Outstanding Invoices (2).exe
Token: SeDebugPrivilege	2360	Payment Advice for Outstanding Invoices (2).exe
Token: SeDebugPrivilege	2720	cmstp.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2708	2308	Payment Advice for Outstanding Invoices (2).exe	31
PID 2308 wrote to memory of 2708	2308	Payment Advice for Outstanding Invoices (2).exe	31
PID 2308 wrote to memory of 2708	2308	Payment Advice for Outstanding Invoices (2).exe	31
PID 2308 wrote to memory of 2708	2308	Payment Advice for Outstanding Invoices (2).exe	31
PID 2308 wrote to memory of 2360	2308	Payment Advice for Outstanding Invoices (2).exe	33
PID 2308 wrote to memory of 2360	2308	Payment Advice for Outstanding Invoices (2).exe	33
PID 2308 wrote to memory of 2360	2308	Payment Advice for Outstanding Invoices (2).exe	33
PID 2308 wrote to memory of 2360	2308	Payment Advice for Outstanding Invoices (2).exe	33
PID 2308 wrote to memory of 2360	2308	Payment Advice for Outstanding Invoices (2).exe	33
PID 2308 wrote to memory of 2360	2308	Payment Advice for Outstanding Invoices (2).exe	33
PID 2308 wrote to memory of 2360	2308	Payment Advice for Outstanding Invoices (2).exe	33
PID 1224 wrote to memory of 2720	1224	Explorer.EXE	35
PID 1224 wrote to memory of 2720	1224	Explorer.EXE	35
PID 1224 wrote to memory of 2720	1224	Explorer.EXE	35
PID 1224 wrote to memory of 2720	1224	Explorer.EXE	35
PID 1224 wrote to memory of 2720	1224	Explorer.EXE	35
PID 1224 wrote to memory of 2720	1224	Explorer.EXE	35
PID 1224 wrote to memory of 2720	1224	Explorer.EXE	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
  "C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IlSblFRyVadI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp53BB.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2708
- - C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2360
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1632
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp53BB.tmp

Filesize
1KB

MD5
aea361e0d958585063b984aab3003f86

SHA1
c8e9c941ea6a2f5fdeebe1dafe059495922e8fcf

SHA256
a86143ac52bc82907a668bed4115b09d345d731b0b69867b6b7bd42c00c83d66

SHA512
bfe973cecbe75542a7bd0d5ec5a23de6a6641231407305522a3a100bdc82ca9436204f73e69b0c9c6568ad4c92bf79fc5f56d1d9beceeb2e28afe04e73186517

Download Submit
memory/1224-23-0x0000000004800000-0x00000000048B1000-memory.dmp

Filesize
708KB

Download
memory/1224-27-0x0000000004800000-0x00000000048B1000-memory.dmp

Filesize
708KB

Download
memory/1224-28-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/2308-3-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/2308-5-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2308-6-0x0000000005F10000-0x0000000005F94000-memory.dmp

Filesize
528KB

Download
memory/2308-7-0x0000000000940000-0x0000000000970000-memory.dmp

Filesize
192KB

Download
memory/2308-4-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/2308-18-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2308-0-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/2308-2-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2308-1-0x0000000001060000-0x0000000001102000-memory.dmp

Filesize
648KB

Download
memory/2360-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2360-19-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/2360-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2360-22-0x00000000004F0000-0x0000000000501000-memory.dmp

Filesize
68KB

Download
memory/2360-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2360-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2360-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-24-0x0000000000540000-0x0000000000558000-memory.dmp

Filesize
96KB

Download
memory/2720-25-0x0000000000540000-0x0000000000558000-memory.dmp

Filesize
96KB

Download
memory/2720-26-0x00000000000F0000-0x0000000000119000-memory.dmp

Filesize
164KB

Download