xloader | 9c7600acbd54dc47b8a0615fb75d72dfc84e78266f1c8a0059520e57a97dca91

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scan_00003984849905654356.exe
Size

365KB
MD5

29eaa8092a2847b8b13922f9e97441a0
SHA1

36ef99adb92e1ed025a47c5edb9a8a373dbafb0e
SHA256

9c24cb754ba7bd9c72075bb67b4254763a891a0086316f9217c3f247d84cff61
SHA512

b37099aff517abe64c7f1837e82a90ab767c0215947159c84ef91de55018006e13fdad7a2eb64a59a6ae7fa9d39c2c0f018b8d22496661551b0ae9dae314393b
SSDEEP

6144:UPAObj0k20+ZfFzB5xNb47b1AMGXX9WjMilj/OojjE7T1DpnwmNfSle8Vdv3j/:UP1bY8+ZfFzBtbYAt9EMiF/o7pFwmNfC

Score

10^/10

xloader er3b discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

er3b

Decoy

mapaccelerated.com

deanartpg.com

southboundsisters.com

ocstutoriales.com

sappe2france.com

morethanentertained.com

kees3d.com

jjsuzuki.com

heroldmion.com

globeheattreaters.com

ompassionatetelemedicine.com

pacificwestsurrogacy.com

eaplsy.com

lccdqrvgw.icu

collectorcarshop.com

438tamarack.com

gokuid.com

jessicavelasquez.com

avanthomeinspections.com

thebrushstory.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/4888-2-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/4888-5-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/1644-11-0x00000000008C0000-0x00000000008E8000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2220 set thread context of 4888	2220	Scan_00003984849905654356.exe	83
PID 4888 set thread context of 3588	4888	Scan_00003984849905654356.exe	56
PID 1644 set thread context of 3588	1644	wlanext.exe	56

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Scan_00003984849905654356.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlanext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
4888	Scan_00003984849905654356.exe
4888	Scan_00003984849905654356.exe
4888	Scan_00003984849905654356.exe
4888	Scan_00003984849905654356.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe
1644	wlanext.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2220	Scan_00003984849905654356.exe
4888	Scan_00003984849905654356.exe
4888	Scan_00003984849905654356.exe
4888	Scan_00003984849905654356.exe
1644	wlanext.exe
1644	wlanext.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4888	Scan_00003984849905654356.exe
Token: SeDebugPrivilege	1644	wlanext.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 4888	2220	Scan_00003984849905654356.exe	83
PID 2220 wrote to memory of 4888	2220	Scan_00003984849905654356.exe	83
PID 2220 wrote to memory of 4888	2220	Scan_00003984849905654356.exe	83
PID 2220 wrote to memory of 4888	2220	Scan_00003984849905654356.exe	83
PID 3588 wrote to memory of 1644	3588	Explorer.EXE	84
PID 3588 wrote to memory of 1644	3588	Explorer.EXE	84
PID 3588 wrote to memory of 1644	3588	Explorer.EXE	84
PID 1644 wrote to memory of 3684	1644	wlanext.exe	87
PID 1644 wrote to memory of 3684	1644	wlanext.exe	87
PID 1644 wrote to memory of 3684	1644	wlanext.exe	87

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Users\Admin\AppData\Local\Temp\Scan_00003984849905654356.exe
  "C:\Users\Admin\AppData\Local\Temp\Scan_00003984849905654356.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\AppData\Local\Temp\Scan_00003984849905654356.exe
    "C:\Users\Admin\AppData\Local\Temp\Scan_00003984849905654356.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4888
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Scan_00003984849905654356.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1644-10-0x0000000000860000-0x0000000000877000-memory.dmp

Filesize
92KB

Download
memory/1644-11-0x00000000008C0000-0x00000000008E8000-memory.dmp

Filesize
160KB

Download
memory/1644-8-0x0000000000860000-0x0000000000877000-memory.dmp

Filesize
92KB

Download
memory/2220-1-0x0000000001000000-0x0000000001100000-memory.dmp

Filesize
1024KB

Download
memory/3588-12-0x0000000008930000-0x0000000008A69000-memory.dmp

Filesize
1.2MB

Download
memory/3588-7-0x0000000008930000-0x0000000008A69000-memory.dmp

Filesize
1.2MB

Download
memory/3588-15-0x0000000008010000-0x0000000008107000-memory.dmp

Filesize
988KB

Download
memory/3588-17-0x0000000008010000-0x0000000008107000-memory.dmp

Filesize
988KB

Download
memory/3588-18-0x0000000008010000-0x0000000008107000-memory.dmp

Filesize
988KB

Download
memory/4888-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4888-6-0x0000000000DB0000-0x0000000000DC1000-memory.dmp

Filesize
68KB

Download
memory/4888-3-0x00000000012D0000-0x000000000161A000-memory.dmp

Filesize
3.3MB

Download
memory/4888-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download