xloader | 075a0e3ac5e88670bade4e5b3bdeff4610060dc0328ec689453ccc441288368a

General

Target

Petrogulf 108-22.exe
Size

778KB
MD5

265e12d9de5e962b90ab8d8dd39e3a66
SHA1

2799490cd1831593b1c2694978c1dbec849bf96e
SHA256

28c28db28e96276f72ce38a60d04f0711388d3f93ecb34d4721dc94fc2bf9f07
SHA512

151e6a34dacd3a0371b7c9e5d88ecdc596074a2efc14dc834f0cf75ca5e7947224c961e985f6c32f6e6166853caff80b595c858c69088dea1866e9f4d9d2c481
SSDEEP

12288:WkgFEJgYYz0wnHZHEQRmYIso2huSWCL9xLEmSAQ31nPq2oK9PO/Z:q9jRdlIsvuSN5p2q2oKg/

Score

10^/10

xloader w8n5 discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

w8n5

Decoy

abolpij.space

secured-service-only.com

themoihay.com

uganda-info.com

readytrove.com

nehaandrajb.com

scuolapadelroma.store

childrensartcafe.com

intelldat.com

jinxedjesterdesigns.com

smallbusinessadminfunds.com

woody.email

effetasolutions.com

miied.com

oxszdt.biz

cdxgkj.com

thebestgpstracker.com

damancavexclusive.com

digitalboat.cloud

eyelikesystems.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2916-11-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2916-16-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2916-20-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2464-27-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2096 set thread context of 2916	2096	Petrogulf 108-22.exe	31
PID 2916 set thread context of 1216	2916	MSBuild.exe	21
PID 2916 set thread context of 1216	2916	MSBuild.exe	21
PID 2464 set thread context of 1216	2464	NAPSTAT.EXE	21

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NAPSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Petrogulf 108-22.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2916	MSBuild.exe
2916	MSBuild.exe
2916	MSBuild.exe
2464	NAPSTAT.EXE
2464	NAPSTAT.EXE
2464	NAPSTAT.EXE
2464	NAPSTAT.EXE
2464	NAPSTAT.EXE
2464	NAPSTAT.EXE
2464	NAPSTAT.EXE
2464	NAPSTAT.EXE
2464	NAPSTAT.EXE
2464	NAPSTAT.EXE
2464	NAPSTAT.EXE
2464	NAPSTAT.EXE
2464	NAPSTAT.EXE
2464	NAPSTAT.EXE
2464	NAPSTAT.EXE
2464	NAPSTAT.EXE
2464	NAPSTAT.EXE
2464	NAPSTAT.EXE
2464	NAPSTAT.EXE
2464	NAPSTAT.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2916	MSBuild.exe
2916	MSBuild.exe
2916	MSBuild.exe
2916	MSBuild.exe
2464	NAPSTAT.EXE
2464	NAPSTAT.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	MSBuild.exe
Token: SeDebugPrivilege	2464	NAPSTAT.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2916	2096	Petrogulf 108-22.exe	31
PID 2096 wrote to memory of 2916	2096	Petrogulf 108-22.exe	31
PID 2096 wrote to memory of 2916	2096	Petrogulf 108-22.exe	31
PID 2096 wrote to memory of 2916	2096	Petrogulf 108-22.exe	31
PID 2096 wrote to memory of 2916	2096	Petrogulf 108-22.exe	31
PID 2096 wrote to memory of 2916	2096	Petrogulf 108-22.exe	31
PID 2096 wrote to memory of 2916	2096	Petrogulf 108-22.exe	31
PID 1216 wrote to memory of 2464	1216	Explorer.EXE	32
PID 1216 wrote to memory of 2464	1216	Explorer.EXE	32
PID 1216 wrote to memory of 2464	1216	Explorer.EXE	32
PID 1216 wrote to memory of 2464	1216	Explorer.EXE	32
PID 2464 wrote to memory of 2664	2464	NAPSTAT.EXE	33
PID 2464 wrote to memory of 2664	2464	NAPSTAT.EXE	33
PID 2464 wrote to memory of 2664	2464	NAPSTAT.EXE	33
PID 2464 wrote to memory of 2664	2464	NAPSTAT.EXE	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\Petrogulf 108-22.exe
  "C:\Users\Admin\AppData\Local\Temp\Petrogulf 108-22.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
- C:\Windows\SysWOW64\NAPSTAT.EXE
  "C:\Windows\SysWOW64\NAPSTAT.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1216-18-0x0000000005050000-0x0000000005186000-memory.dmp

Filesize
1.2MB

Download
memory/1216-28-0x0000000006740000-0x0000000006885000-memory.dmp

Filesize
1.3MB

Download
memory/1216-22-0x0000000005050000-0x0000000005186000-memory.dmp

Filesize
1.2MB

Download
memory/1216-23-0x0000000006740000-0x0000000006885000-memory.dmp

Filesize
1.3MB

Download
memory/2096-6-0x0000000005980000-0x0000000005A30000-memory.dmp

Filesize
704KB

Download
memory/2096-4-0x000000007412E000-0x000000007412F000-memory.dmp

Filesize
4KB

Download
memory/2096-0-0x000000007412E000-0x000000007412F000-memory.dmp

Filesize
4KB

Download
memory/2096-7-0x0000000001F80000-0x0000000001FB0000-memory.dmp

Filesize
192KB

Download
memory/2096-1-0x0000000000240000-0x0000000000308000-memory.dmp

Filesize
800KB

Download
memory/2096-12-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2096-2-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2096-3-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/2096-5-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2464-27-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/2464-26-0x0000000000A60000-0x0000000000AA6000-memory.dmp

Filesize
280KB

Download
memory/2464-24-0x0000000000A60000-0x0000000000AA6000-memory.dmp

Filesize
280KB

Download
memory/2916-14-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/2916-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2916-15-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2916-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2916-21-0x00000000004A0000-0x00000000004B1000-memory.dmp

Filesize
68KB

Download
memory/2916-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2916-10-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2916-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2916-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing