xloader | 3e4d822608eabbd09ec42b37c1e935582e32e4f75a2d1248e261814faead9d4b

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2869e0c3e746c3baa787fb20464d3b4b286591d96f1ea89b8d852bcae32f4ef0.exe
Size

495KB
MD5

1d4fd5f9ce67b9701527fe44c5c01328
SHA1

cd0b4fb2f1ba6d54310cd4cad70e375c7da3e5ef
SHA256

2869e0c3e746c3baa787fb20464d3b4b286591d96f1ea89b8d852bcae32f4ef0
SHA512

e43d10db454ab5d025f5043812c0ad116102b09230bb1b1e72760d000f9de41b172e1d6bccc05b5504fcf67ec0a2620275f85078f4adc3d7b2ec433ac498b0f5
SSDEEP

12288:3gfm1GNmrNm2r5t8v+vtrqt6QuQnKTrMqTUcvJbNm:mgHkSt0+vtBTrpUci

Score

10^/10

xloader mwfc discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mwfc

Decoy

a-great-intl-voip-phones.zone

police-trust-security.com

415391.com

coi-sl.com

liming-steel.com

criticalracetheoryexplained.com

pintoent.com

columbusrx.com

clarktribe.net

texasforblanchard.com

musical.voyage

priyamblogs.com

employbridge.works

americanchessmaster.com

australiaaddictioncenters.com

drkell-yann.xyz

barryisdaner.com

frankkystein.art

aromatoto7.com

alsuwal.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2148-13-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2148-16-0x0000000000830000-0x0000000000B33000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2820 set thread context of 2148	2820	2869e0c3e746c3baa787fb20464d3b4b286591d96f1ea89b8d852bcae32f4ef0.exe	31

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2869e0c3e746c3baa787fb20464d3b4b286591d96f1ea89b8d852bcae32f4ef0.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2148	2869e0c3e746c3baa787fb20464d3b4b286591d96f1ea89b8d852bcae32f4ef0.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2148	2820	2869e0c3e746c3baa787fb20464d3b4b286591d96f1ea89b8d852bcae32f4ef0.exe	31
PID 2820 wrote to memory of 2148	2820	2869e0c3e746c3baa787fb20464d3b4b286591d96f1ea89b8d852bcae32f4ef0.exe	31
PID 2820 wrote to memory of 2148	2820	2869e0c3e746c3baa787fb20464d3b4b286591d96f1ea89b8d852bcae32f4ef0.exe	31
PID 2820 wrote to memory of 2148	2820	2869e0c3e746c3baa787fb20464d3b4b286591d96f1ea89b8d852bcae32f4ef0.exe	31
PID 2820 wrote to memory of 2148	2820	2869e0c3e746c3baa787fb20464d3b4b286591d96f1ea89b8d852bcae32f4ef0.exe	31
PID 2820 wrote to memory of 2148	2820	2869e0c3e746c3baa787fb20464d3b4b286591d96f1ea89b8d852bcae32f4ef0.exe	31
PID 2820 wrote to memory of 2148	2820	2869e0c3e746c3baa787fb20464d3b4b286591d96f1ea89b8d852bcae32f4ef0.exe	31

C:\Users\Admin\AppData\Local\Temp\2869e0c3e746c3baa787fb20464d3b4b286591d96f1ea89b8d852bcae32f4ef0.exe
"C:\Users\Admin\AppData\Local\Temp\2869e0c3e746c3baa787fb20464d3b4b286591d96f1ea89b8d852bcae32f4ef0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\2869e0c3e746c3baa787fb20464d3b4b286591d96f1ea89b8d852bcae32f4ef0.exe
  "C:\Users\Admin\AppData\Local\Temp\2869e0c3e746c3baa787fb20464d3b4b286591d96f1ea89b8d852bcae32f4ef0.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2148-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2148-16-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/2148-15-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/2148-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2148-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2148-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2820-3-0x00000000004D0000-0x00000000004E4000-memory.dmp

Filesize
80KB

Download
memory/2820-7-0x0000000000B60000-0x0000000000B90000-memory.dmp

Filesize
192KB

Download
memory/2820-6-0x0000000004E00000-0x0000000004E74000-memory.dmp

Filesize
464KB

Download
memory/2820-5-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2820-4-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

Filesize
4KB

Download
memory/2820-0-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

Filesize
4KB

Download
memory/2820-14-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2820-2-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2820-1-0x0000000000B90000-0x0000000000C12000-memory.dmp

Filesize
520KB

Download