xloader | cfdc9cc4f1f491f68af1bec62154927ae5825ad9ffba8fc239341ab0a3f263c0

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order Specification Requirement With Ref. AMABINIF38535.exe
Size

558KB
MD5

ec44d0c4ec44347f9f8ee63b4bec5210
SHA1

362eda0fa5bd2cd4f50d0f7e9cf0cc641a08b163
SHA256

ed6182df3469dfdc4084aea0aca3714a90498401d608c7a0ab818329c42ab21f
SHA512

ee7e79980421b97fccdbe453c5daa98798fc82e8951c3d6aee49a939a1721e2c885ad22c69721488644f277e719d60d2fd1a8f595ceb370d29d899bbca7e1338
SSDEEP

6144:AO6oVJ59N2c3FEyohRbTnIkwcDku8dQDKfcQqUwSLjiXTkgQ:ASJ59r3F0bTnlwcDkuzMcfSLYTTQ

Score

10^/10

xloader utau discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.2

Campaign

utau

Decoy

frenchtogether.info

thefriendsofmaryc.com

meridianconversation.com

pleasingpleasure.com

relliant-rehab.com

meunegocioonlineoficial.com

jutuiess.site

sorelshopitalia.com

minnesotaunited.club

meditationmateau.com

wisheskennel.com

nothingbeatsagreatstory.com

equityinengineering.com

designantageuk.com

towstate.com

floridapremierestates.com

qianwanshang.com

mamentos.info

coraltechnologygroup.com

guoyijidian.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/4836-1-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/1860-9-0x0000000000840000-0x0000000000869000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4968 set thread context of 4836	4968	Order Specification Requirement With Ref. AMABINIF38535.exe	87
PID 4836 set thread context of 3440	4836	Order Specification Requirement With Ref. AMABINIF38535.exe	55
PID 1860 set thread context of 3440	1860	explorer.exe	55

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order Specification Requirement With Ref. AMABINIF38535.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
4836	Order Specification Requirement With Ref. AMABINIF38535.exe
4836	Order Specification Requirement With Ref. AMABINIF38535.exe
4836	Order Specification Requirement With Ref. AMABINIF38535.exe
4836	Order Specification Requirement With Ref. AMABINIF38535.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4968	Order Specification Requirement With Ref. AMABINIF38535.exe
4836	Order Specification Requirement With Ref. AMABINIF38535.exe
4836	Order Specification Requirement With Ref. AMABINIF38535.exe
4836	Order Specification Requirement With Ref. AMABINIF38535.exe
1860	explorer.exe
1860	explorer.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4836	Order Specification Requirement With Ref. AMABINIF38535.exe
Token: SeDebugPrivilege	1860	explorer.exe
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3440	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 4836	4968	Order Specification Requirement With Ref. AMABINIF38535.exe	87
PID 4968 wrote to memory of 4836	4968	Order Specification Requirement With Ref. AMABINIF38535.exe	87
PID 4968 wrote to memory of 4836	4968	Order Specification Requirement With Ref. AMABINIF38535.exe	87
PID 4968 wrote to memory of 4836	4968	Order Specification Requirement With Ref. AMABINIF38535.exe	87
PID 3440 wrote to memory of 1860	3440	Explorer.EXE	89
PID 3440 wrote to memory of 1860	3440	Explorer.EXE	89
PID 3440 wrote to memory of 1860	3440	Explorer.EXE	89
PID 1860 wrote to memory of 1336	1860	explorer.exe	94
PID 1860 wrote to memory of 1336	1860	explorer.exe	94
PID 1860 wrote to memory of 1336	1860	explorer.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Users\Admin\AppData\Local\Temp\Order Specification Requirement With Ref. AMABINIF38535.exe
  "C:\Users\Admin\AppData\Local\Temp\Order Specification Requirement With Ref. AMABINIF38535.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\Order Specification Requirement With Ref. AMABINIF38535.exe
    "C:\Users\Admin\AppData\Local\Temp\Order Specification Requirement With Ref. AMABINIF38535.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4836
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Order Specification Requirement With Ref. AMABINIF38535.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1860-6-0x0000000000900000-0x0000000000D33000-memory.dmp

Filesize
4.2MB

Download
memory/1860-8-0x0000000000900000-0x0000000000D33000-memory.dmp

Filesize
4.2MB

Download
memory/1860-9-0x0000000000840000-0x0000000000869000-memory.dmp

Filesize
164KB

Download
memory/3440-5-0x0000000002EE0000-0x0000000003015000-memory.dmp

Filesize
1.2MB

Download
memory/3440-10-0x0000000002EE0000-0x0000000003015000-memory.dmp

Filesize
1.2MB

Download
memory/3440-14-0x0000000003230000-0x000000000335F000-memory.dmp

Filesize
1.2MB

Download
memory/3440-15-0x0000000003230000-0x000000000335F000-memory.dmp

Filesize
1.2MB

Download
memory/3440-17-0x0000000003230000-0x000000000335F000-memory.dmp

Filesize
1.2MB

Download
memory/4836-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4836-2-0x0000000000F50000-0x0000000000FB8000-memory.dmp

Filesize
416KB

Download
memory/4968-0-0x0000000000F82000-0x0000000000F85000-memory.dmp

Filesize
12KB

Download
memory/4968-3-0x0000000000F82000-0x0000000000F85000-memory.dmp

Filesize
12KB

Download