xloader | 7590ec9ca035b8a8789db1a5bf89f721179132fcbca4f97b7ebb9738d8e40ecb

Analysis

max time kernel
104s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2025, 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f413624c125a8e6e6e8f4ece883a646fe784bc5a8f4f21185da1df43adc76da1.exe
Size

890KB
MD5

ce9456b4b5deccd2f6d9465482326a4a
SHA1

c8e3393bdda11aab1ede3b0f73390891fb4cd379
SHA256

f413624c125a8e6e6e8f4ece883a646fe784bc5a8f4f21185da1df43adc76da1
SHA512

a4dfd7edac6afde39b942dd18ebb80f0b91be948bffc73a07ad61668d4e83b9e622b498560a5a296cac21e1ddd6a39da5b1006ce4dfd04008062ffcad9142b6b
SSDEEP

12288:+VKdZyObtOG0OHttZpOohFSsymCpiuyWKNpaj31N7r+9o6YfBBqN8LX:+VMHwG0ON514iuyWEpaj+nYpg

Score

10^/10

xloader dn87 discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

dn87

Decoy

yiyuge.club

sdzrwoe.icu

divifarsi.com

sunsal.net

animeziyan.com

onlinemastersdegree.site

medknizhka.info

lowlife.one

livingroomexercise.com

themantrini.com

starconverters.com

kyssclothing.com

sa18i.art

smartdaymall.com

ohyeahblog.net

losriosnosunen.com

joannamarshwriter.com

restlanekysseoffer.com

oonabody.com

azarksigningagent.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/5908-4-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5780 set thread context of 5908	5780	f413624c125a8e6e6e8f4ece883a646fe784bc5a8f4f21185da1df43adc76da1.exe	87

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f413624c125a8e6e6e8f4ece883a646fe784bc5a8f4f21185da1df43adc76da1.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5780	f413624c125a8e6e6e8f4ece883a646fe784bc5a8f4f21185da1df43adc76da1.exe
5780	f413624c125a8e6e6e8f4ece883a646fe784bc5a8f4f21185da1df43adc76da1.exe
5908	f413624c125a8e6e6e8f4ece883a646fe784bc5a8f4f21185da1df43adc76da1.exe
5908	f413624c125a8e6e6e8f4ece883a646fe784bc5a8f4f21185da1df43adc76da1.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5780	f413624c125a8e6e6e8f4ece883a646fe784bc5a8f4f21185da1df43adc76da1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5780 wrote to memory of 5908	5780	f413624c125a8e6e6e8f4ece883a646fe784bc5a8f4f21185da1df43adc76da1.exe	87
PID 5780 wrote to memory of 5908	5780	f413624c125a8e6e6e8f4ece883a646fe784bc5a8f4f21185da1df43adc76da1.exe	87
PID 5780 wrote to memory of 5908	5780	f413624c125a8e6e6e8f4ece883a646fe784bc5a8f4f21185da1df43adc76da1.exe	87

C:\Users\Admin\AppData\Local\Temp\f413624c125a8e6e6e8f4ece883a646fe784bc5a8f4f21185da1df43adc76da1.exe
"C:\Users\Admin\AppData\Local\Temp\f413624c125a8e6e6e8f4ece883a646fe784bc5a8f4f21185da1df43adc76da1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5780
- C:\Users\Admin\AppData\Local\Temp\f413624c125a8e6e6e8f4ece883a646fe784bc5a8f4f21185da1df43adc76da1.exe
  "C:\Users\Admin\AppData\Local\Temp\f413624c125a8e6e6e8f4ece883a646fe784bc5a8f4f21185da1df43adc76da1.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5780-0-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/5780-2-0x0000000002500000-0x0000000002513000-memory.dmp

Filesize
76KB

Download
memory/5780-3-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/5780-5-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/5908-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download