xloader | 9b9cdf468e088138aa3ef409c34c5e8bda0eaa8d7b0ce8a43494089b00cf6cae

General

Target

Fatura_Um0slpC3IsVAmnv.exe
Size

594KB
MD5

e192091f95cde41724533037eee016f1
SHA1

3e31af5c3dacf364505ce50c1bc59f14efad372b
SHA256

00c31ece69362a5cccc665bc1d57b48240d5bf53cbb159cb72b26454849e798e
SHA512

ee46f4aa86e0594d9432ba3dc505b6faaddecfd37ae8219b5e69e10971874c0636358fd780580f3aa80a8cf38f645efe47ee96a83f3672fff41a1fbedfb59df6
SSDEEP

12288:bdSPwG60J+z7X++4567hYUDK4H9JW774ysGbBS3f:5lG6t74o9Ykd87Vb+f

Score

10^/10

xloader agwz discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

agwz

Decoy

organicsifa.com

microlivros.com

kharestudio.com

processautomationsystem.com

359192.com

user-id06783.com

hoopletesonline.com

camrashos.com

xfgyzzm.icu

jjjllcbooking.com

ztouh.info

mynetlfis.info

honeydigi.com

claytelier.com

hbozoom.com

theleftreports.net

drmenelaou.com

ignoringracism.com

querofalardesaude.com

smithysminicharters.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/716-13-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/716-18-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 720 set thread context of 716	720	Fatura_Um0slpC3IsVAmnv.exe	100
PID 716 set thread context of 3532	716	Fatura_Um0slpC3IsVAmnv.exe	56
PID 3368 set thread context of 3532	3368	msdt.exe	56

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fatura_Um0slpC3IsVAmnv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
720	Fatura_Um0slpC3IsVAmnv.exe
720	Fatura_Um0slpC3IsVAmnv.exe
720	Fatura_Um0slpC3IsVAmnv.exe
716	Fatura_Um0slpC3IsVAmnv.exe
716	Fatura_Um0slpC3IsVAmnv.exe
716	Fatura_Um0slpC3IsVAmnv.exe
716	Fatura_Um0slpC3IsVAmnv.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe
3368	msdt.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
716	Fatura_Um0slpC3IsVAmnv.exe
716	Fatura_Um0slpC3IsVAmnv.exe
716	Fatura_Um0slpC3IsVAmnv.exe
3368	msdt.exe
3368	msdt.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	720	Fatura_Um0slpC3IsVAmnv.exe
Token: SeDebugPrivilege	716	Fatura_Um0slpC3IsVAmnv.exe
Token: SeDebugPrivilege	3368	msdt.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 720 wrote to memory of 716	720	Fatura_Um0slpC3IsVAmnv.exe	100
PID 720 wrote to memory of 716	720	Fatura_Um0slpC3IsVAmnv.exe	100
PID 720 wrote to memory of 716	720	Fatura_Um0slpC3IsVAmnv.exe	100
PID 720 wrote to memory of 716	720	Fatura_Um0slpC3IsVAmnv.exe	100
PID 720 wrote to memory of 716	720	Fatura_Um0slpC3IsVAmnv.exe	100
PID 720 wrote to memory of 716	720	Fatura_Um0slpC3IsVAmnv.exe	100
PID 3532 wrote to memory of 3368	3532	Explorer.EXE	101
PID 3532 wrote to memory of 3368	3532	Explorer.EXE	101
PID 3532 wrote to memory of 3368	3532	Explorer.EXE	101
PID 3368 wrote to memory of 1708	3368	msdt.exe	102
PID 3368 wrote to memory of 1708	3368	msdt.exe	102
PID 3368 wrote to memory of 1708	3368	msdt.exe	102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Admin\AppData\Local\Temp\Fatura_Um0slpC3IsVAmnv.exe
  "C:\Users\Admin\AppData\Local\Temp\Fatura_Um0slpC3IsVAmnv.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:720
- - C:\Users\Admin\AppData\Local\Temp\Fatura_Um0slpC3IsVAmnv.exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:716
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Fatura_Um0slpC3IsVAmnv.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/716-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/716-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/716-19-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

Filesize
64KB

Download
memory/716-16-0x0000000001340000-0x000000000168A000-memory.dmp

Filesize
3.3MB

Download
memory/720-12-0x000000000C790000-0x000000000C82C000-memory.dmp

Filesize
624KB

Download
memory/720-3-0x0000000005220000-0x00000000052B2000-memory.dmp

Filesize
584KB

Download
memory/720-6-0x0000000005D80000-0x00000000060D4000-memory.dmp

Filesize
3.3MB

Download
memory/720-7-0x00000000051C0000-0x00000000051CA000-memory.dmp

Filesize
40KB

Download
memory/720-8-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

Filesize
4KB

Download
memory/720-9-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/720-10-0x0000000006D70000-0x0000000006DE2000-memory.dmp

Filesize
456KB

Download
memory/720-11-0x0000000009390000-0x00000000093EC000-memory.dmp

Filesize
368KB

Download
memory/720-0-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

Filesize
4KB

Download
memory/720-5-0x0000000005190000-0x000000000519A000-memory.dmp

Filesize
40KB

Download
memory/720-15-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/720-4-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/720-2-0x00000000057D0000-0x0000000005D74000-memory.dmp

Filesize
5.6MB

Download
memory/720-1-0x0000000000740000-0x00000000007DA000-memory.dmp

Filesize
616KB

Download
memory/3368-21-0x0000000000650000-0x00000000006A7000-memory.dmp

Filesize
348KB

Download
memory/3368-22-0x0000000000650000-0x00000000006A7000-memory.dmp

Filesize
348KB

Download
memory/3532-20-0x0000000003170000-0x0000000003245000-memory.dmp

Filesize
852KB

Download
memory/3532-23-0x0000000003170000-0x0000000003245000-memory.dmp

Filesize
852KB

Download
memory/3532-27-0x0000000008B30000-0x0000000008CB9000-memory.dmp

Filesize
1.5MB

Download
memory/3532-28-0x0000000008B30000-0x0000000008CB9000-memory.dmp

Filesize
1.5MB

Download
memory/3532-30-0x0000000008B30000-0x0000000008CB9000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing