xloader | 6c52af67375cff10635d85e1125a18ce827b7450ed5cf1e0d60300fbe57217e9

General

Target

RFQ-2203IQ22.exe
Size

363KB
MD5

497c61e3c3b524f3f5e21133e25e9fed
SHA1

3ae28a52da98599f857c6086bd650ddb7a08884b
SHA256

e8a006ff04f0284cdd1008d687dc62231e78886c017904c462c0b18d9b938a8a
SHA512

4fccfe219f77d9cb9da4c017fb28e33ba9fad4f7e7202525ef7a0d36e39b2c51b70d5d61e4ff011abee75f39cb1910cd5580274aa796991c8366ee3cb196ab3a
SSDEEP

6144:TGi7FnvhydhcoKQB9IkZFPVOcVKmPo1irNYMr08C2YuDPwHEzzRof28Jt:1w95FdOEoKQ8C2YuDPwMzefRf

Score

10^/10

xloader iedi discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

iedi

Decoy

taschenhimmel.guru

nychehang.com

samrgov.xyz

lumenharleystreet.com

286241.com

herramientaspcdigitales.com

collegesecurityroadshow.com

fcpt.club

iphone13promax.art

karmikdevco.com

melanin4mermaidstalks.com

550-29th.com

bsthuy24h.com

desertmermaidcreations.com

fifi8.xyz

interweavelife.com

onlylands.icu

freemanengenharia.com

referralinstituteatlanta.com

dugerits.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2820-15-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2820-19-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2804-25-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

pid	Process
2228	dbhvn.exe
2820	dbhvn.exe

Loads dropped DLL 3 IoCs

pid	Process
2780	RFQ-2203IQ22.exe
2780	RFQ-2203IQ22.exe
2228	dbhvn.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2228 set thread context of 2820	2228	dbhvn.exe	31
PID 2820 set thread context of 1180	2820	dbhvn.exe	21
PID 2804 set thread context of 1180	2804	colorcpl.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RFQ-2203IQ22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbhvn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	colorcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2820	dbhvn.exe
2820	dbhvn.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe
2804	colorcpl.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2820	dbhvn.exe
2820	dbhvn.exe
2820	dbhvn.exe
2804	colorcpl.exe
2804	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	dbhvn.exe
Token: SeDebugPrivilege	2804	colorcpl.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2228	2780	RFQ-2203IQ22.exe	30
PID 2780 wrote to memory of 2228	2780	RFQ-2203IQ22.exe	30
PID 2780 wrote to memory of 2228	2780	RFQ-2203IQ22.exe	30
PID 2780 wrote to memory of 2228	2780	RFQ-2203IQ22.exe	30
PID 2228 wrote to memory of 2820	2228	dbhvn.exe	31
PID 2228 wrote to memory of 2820	2228	dbhvn.exe	31
PID 2228 wrote to memory of 2820	2228	dbhvn.exe	31
PID 2228 wrote to memory of 2820	2228	dbhvn.exe	31
PID 2228 wrote to memory of 2820	2228	dbhvn.exe	31
PID 2228 wrote to memory of 2820	2228	dbhvn.exe	31
PID 2228 wrote to memory of 2820	2228	dbhvn.exe	31
PID 1180 wrote to memory of 2804	1180	Explorer.EXE	32
PID 1180 wrote to memory of 2804	1180	Explorer.EXE	32
PID 1180 wrote to memory of 2804	1180	Explorer.EXE	32
PID 1180 wrote to memory of 2804	1180	Explorer.EXE	32
PID 2804 wrote to memory of 2576	2804	colorcpl.exe	33
PID 2804 wrote to memory of 2576	2804	colorcpl.exe	33
PID 2804 wrote to memory of 2576	2804	colorcpl.exe	33
PID 2804 wrote to memory of 2576	2804	colorcpl.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\AppData\Local\Temp\RFQ-2203IQ22.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ-2203IQ22.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\dbhvn.exe
    C:\Users\Admin\AppData\Local\Temp\dbhvn.exe C:\Users\Admin\AppData\Local\Temp\ysooupq
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\dbhvn.exe
      C:\Users\Admin\AppData\Local\Temp\dbhvn.exe C:\Users\Admin\AppData\Local\Temp\ysooupq
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2820
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\dbhvn.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jveithbc8i

Filesize
210KB

MD5
3f12428b5a1afbdca2f1512a0157a8f6

SHA1
d99e0c7965a9150acee3159a8c8dacc75e300372

SHA256
a7e502ba7d504d5cd361f0dc2a01c30b346b72b00c55f023df8ab52b703f6193

SHA512
192cf6d404de31f70ebe5c52ad9c2645c0d65e345ef86c514ed0552089f0ec69233b44a22f51330302c4e320b308b86d65359497abfd98ca083d8c8fe8c0ad52

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysooupq

Filesize
4KB

MD5
ea559a32d5fcc3abb041266808447cff

SHA1
34388899e6f7e333a765f7b87434a4aa7d9787f7

SHA256
22da97a15483334c545403689f61dfb09b46563a8e3b9c91f577a9b4d97e8563

SHA512
4b92ba0d39498d2ab9f4e8b98364674c60d857018837d5466dcc64658748f09f75b344a2e7b0dfc791077f291fcd0879626cd450ca168f1c8b033cc3e286ac41

Download Submit
\Users\Admin\AppData\Local\Temp\dbhvn.exe

Filesize
107KB

MD5
2c3eb1912198569cf1680077ac995221

SHA1
c69948d7e3d380b1b8d29df7501eadc0fea857ec

SHA256
e1b09d71f05cf589e41f3701142b3fd917508e3b5f43eaa810bcaeab74f18165

SHA512
9553c96268cffb7638ff1e2df116ddb039654fc221328a6fa5673d1b502cfaca6d1762a6e3a537d530eec6c66004058520de6592aa6492e80f7faef7f73e49bd

Download Submit
memory/1180-22-0x00000000052B0000-0x0000000005398000-memory.dmp

Filesize
928KB

Download
memory/1180-26-0x00000000052B0000-0x0000000005398000-memory.dmp

Filesize
928KB

Download
memory/2228-12-0x00000000000E0000-0x00000000000E2000-memory.dmp

Filesize
8KB

Download
memory/2804-23-0x0000000000190000-0x00000000001A8000-memory.dmp

Filesize
96KB

Download
memory/2804-24-0x0000000000190000-0x00000000001A8000-memory.dmp

Filesize
96KB

Download
memory/2804-25-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2820-20-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/2820-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2820-17-0x0000000000900000-0x0000000000C03000-memory.dmp

Filesize
3.0MB

Download
memory/2820-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing