xloader | 9b9cdf468e088138aa3ef409c34c5e8bda0eaa8d7b0ce8a43494089b00cf6cae

General

Target

Fatura_Um0slpC3IsVAmnv.exe
Size

594KB
MD5

e192091f95cde41724533037eee016f1
SHA1

3e31af5c3dacf364505ce50c1bc59f14efad372b
SHA256

00c31ece69362a5cccc665bc1d57b48240d5bf53cbb159cb72b26454849e798e
SHA512

ee46f4aa86e0594d9432ba3dc505b6faaddecfd37ae8219b5e69e10971874c0636358fd780580f3aa80a8cf38f645efe47ee96a83f3672fff41a1fbedfb59df6
SSDEEP

12288:bdSPwG60J+z7X++4567hYUDK4H9JW774ysGbBS3f:5lG6t74o9Ykd87Vb+f

Score

10^/10

xloader agwz discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

agwz

Decoy

organicsifa.com

microlivros.com

kharestudio.com

processautomationsystem.com

359192.com

user-id06783.com

hoopletesonline.com

camrashos.com

xfgyzzm.icu

jjjllcbooking.com

ztouh.info

mynetlfis.info

honeydigi.com

claytelier.com

hbozoom.com

theleftreports.net

drmenelaou.com

ignoringracism.com

querofalardesaude.com

smithysminicharters.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2768-11-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/2768-15-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Deletes itself 1 IoCs

pid	Process
1688	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1792 set thread context of 2768	1792	Fatura_Um0slpC3IsVAmnv.exe	30
PID 2768 set thread context of 1196	2768	Fatura_Um0slpC3IsVAmnv.exe	21
PID 3068 set thread context of 1196	3068	wscript.exe	21

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fatura_Um0slpC3IsVAmnv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1792	Fatura_Um0slpC3IsVAmnv.exe
1792	Fatura_Um0slpC3IsVAmnv.exe
1792	Fatura_Um0slpC3IsVAmnv.exe
2768	Fatura_Um0slpC3IsVAmnv.exe
2768	Fatura_Um0slpC3IsVAmnv.exe
3068	wscript.exe
3068	wscript.exe
3068	wscript.exe
3068	wscript.exe
3068	wscript.exe
3068	wscript.exe
3068	wscript.exe
3068	wscript.exe
3068	wscript.exe
3068	wscript.exe
3068	wscript.exe
3068	wscript.exe
3068	wscript.exe
3068	wscript.exe
3068	wscript.exe
3068	wscript.exe
3068	wscript.exe
3068	wscript.exe
3068	wscript.exe
3068	wscript.exe
3068	wscript.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2768	Fatura_Um0slpC3IsVAmnv.exe
2768	Fatura_Um0slpC3IsVAmnv.exe
2768	Fatura_Um0slpC3IsVAmnv.exe
3068	wscript.exe
3068	wscript.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	Fatura_Um0slpC3IsVAmnv.exe
Token: SeDebugPrivilege	2768	Fatura_Um0slpC3IsVAmnv.exe
Token: SeDebugPrivilege	3068	wscript.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2768	1792	Fatura_Um0slpC3IsVAmnv.exe	30
PID 1792 wrote to memory of 2768	1792	Fatura_Um0slpC3IsVAmnv.exe	30
PID 1792 wrote to memory of 2768	1792	Fatura_Um0slpC3IsVAmnv.exe	30
PID 1792 wrote to memory of 2768	1792	Fatura_Um0slpC3IsVAmnv.exe	30
PID 1792 wrote to memory of 2768	1792	Fatura_Um0slpC3IsVAmnv.exe	30
PID 1792 wrote to memory of 2768	1792	Fatura_Um0slpC3IsVAmnv.exe	30
PID 1792 wrote to memory of 2768	1792	Fatura_Um0slpC3IsVAmnv.exe	30
PID 1196 wrote to memory of 3068	1196	Explorer.EXE	31
PID 1196 wrote to memory of 3068	1196	Explorer.EXE	31
PID 1196 wrote to memory of 3068	1196	Explorer.EXE	31
PID 1196 wrote to memory of 3068	1196	Explorer.EXE	31
PID 3068 wrote to memory of 1688	3068	wscript.exe	32
PID 3068 wrote to memory of 1688	3068	wscript.exe	32
PID 3068 wrote to memory of 1688	3068	wscript.exe	32
PID 3068 wrote to memory of 1688	3068	wscript.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\Fatura_Um0slpC3IsVAmnv.exe
  "C:\Users\Admin\AppData\Local\Temp\Fatura_Um0slpC3IsVAmnv.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\Fatura_Um0slpC3IsVAmnv.exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Fatura_Um0slpC3IsVAmnv.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-21-0x0000000006AB0000-0x0000000006BB1000-memory.dmp

Filesize
1.0MB

Download
memory/1196-17-0x0000000006AB0000-0x0000000006BB1000-memory.dmp

Filesize
1.0MB

Download
memory/1792-12-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/1792-1-0x00000000011E0000-0x000000000127A000-memory.dmp

Filesize
616KB

Download
memory/1792-2-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/1792-3-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1792-4-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/1792-5-0x0000000004D60000-0x0000000004DD2000-memory.dmp

Filesize
456KB

Download
memory/1792-6-0x0000000000D40000-0x0000000000D9C000-memory.dmp

Filesize
368KB

Download
memory/1792-0-0x00000000744EE000-0x00000000744EF000-memory.dmp

Filesize
4KB

Download
memory/2768-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2768-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2768-13-0x00000000009A0000-0x0000000000CA3000-memory.dmp

Filesize
3.0MB

Download
memory/2768-16-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2768-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2768-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2768-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3068-18-0x0000000000FA0000-0x0000000000FC6000-memory.dmp

Filesize
152KB

Download
memory/3068-20-0x0000000000FA0000-0x0000000000FC6000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing