xloader | 709fc33b5583c479174e8149fcf28a50a50653cc19ba49fb917de4e8ff2ad22c

General

Target

order payment.exe
Size

291KB
MD5

ec2853c83cff7b763bb603a2754749f1
SHA1

0d7e640764aea9b1a8585ac57edf8e2061cd5c61
SHA256

9cb67c087ee707c5878f773e00cc4d55ad3b9fa3092b9ea9614647a06a9c9003
SHA512

e8f6521f398c1670f3efb5b34b52e58eb8f960a8496e81d5ea180ff763581fa7802ca1352a6ec5733d449f68e0a1918c8744fd8b824e9b15ad10086330e8ec5c
SSDEEP

6144:owkx9R0tcuke6acPbZv8f3tdSUmuzpJ40N/btqbJZCZquFHyqWUG:m9R1GuPN8/VdpJD5eZATHyMG

Score

10^/10

xloader voa9 discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

voa9

Decoy

hamedsoleimani.com

21t8.com

closurefroioj.xyz

1840beverlyglen308.com

zp1915213066.xyz

fesoftware.net

alamana.group

assetto.tech

vizitafrica.com

kalinganet.com

brzksmly.com

bipcursos.com

ketquaxskt.com

shemaworld.com

niftyyak.com

lockwoodtowncenter.com

carteiradetrafego.com

877561.com

handwrittenbooks.com

stribl.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1236-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1236-17-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/2096-22-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

pid	Process
1908	hgdwc.exe
1236	hgdwc.exe

Loads dropped DLL 2 IoCs

pid	Process
1540	order payment.exe
1908	hgdwc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1908 set thread context of 1236	1908	hgdwc.exe	31
PID 1236 set thread context of 1220	1236	hgdwc.exe	21
PID 2096 set thread context of 1220	2096	ipconfig.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	order payment.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hgdwc.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2096	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1236	hgdwc.exe
1236	hgdwc.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe
2096	ipconfig.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1236	hgdwc.exe
1236	hgdwc.exe
1236	hgdwc.exe
2096	ipconfig.exe
2096	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1236	hgdwc.exe
Token: SeDebugPrivilege	2096	ipconfig.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 1908	1540	order payment.exe	30
PID 1540 wrote to memory of 1908	1540	order payment.exe	30
PID 1540 wrote to memory of 1908	1540	order payment.exe	30
PID 1540 wrote to memory of 1908	1540	order payment.exe	30
PID 1908 wrote to memory of 1236	1908	hgdwc.exe	31
PID 1908 wrote to memory of 1236	1908	hgdwc.exe	31
PID 1908 wrote to memory of 1236	1908	hgdwc.exe	31
PID 1908 wrote to memory of 1236	1908	hgdwc.exe	31
PID 1908 wrote to memory of 1236	1908	hgdwc.exe	31
PID 1908 wrote to memory of 1236	1908	hgdwc.exe	31
PID 1908 wrote to memory of 1236	1908	hgdwc.exe	31
PID 1220 wrote to memory of 2096	1220	Explorer.EXE	33
PID 1220 wrote to memory of 2096	1220	Explorer.EXE	33
PID 1220 wrote to memory of 2096	1220	Explorer.EXE	33
PID 1220 wrote to memory of 2096	1220	Explorer.EXE	33
PID 2096 wrote to memory of 2412	2096	ipconfig.exe	34
PID 2096 wrote to memory of 2412	2096	ipconfig.exe	34
PID 2096 wrote to memory of 2412	2096	ipconfig.exe	34
PID 2096 wrote to memory of 2412	2096	ipconfig.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\order payment.exe
  "C:\Users\Admin\AppData\Local\Temp\order payment.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Users\Admin\AppData\Local\Temp\hgdwc.exe
    C:\Users\Admin\AppData\Local\Temp\hgdwc.exe C:\Users\Admin\AppData\Local\Temp\iukir
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\hgdwc.exe
      C:\Users\Admin\AppData\Local\Temp\hgdwc.exe C:\Users\Admin\AppData\Local\Temp\iukir
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1236
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2632
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\hgdwc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adf407wb8l0r7

Filesize
210KB

MD5
b601f33851f78660a0b5abc2be3e83bb

SHA1
c5fdb470e113470381935e9c2c10051aefb76970

SHA256
1b69e05ac65da2ee1ba67be6aa16cff03cf880962630932e8523ff82cd71370b

SHA512
82ff6b2355814f7b7a132b87f18bafec6b7d0c5f4b8b55eed13bee55c92069ea257f72305999fdfddd0620980850cf2dbc82d34bd6c5b3d3118aa3e008b08971

Download Submit
C:\Users\Admin\AppData\Local\Temp\iukir

Filesize
4KB

MD5
5cd6eb17496e11cfe215c6e123bc2091

SHA1
f4f8d3dd2668eb41cf435f8728f05e1771aac559

SHA256
0599672c94c4632563c14238136c245df9b7166afabee2a64786835e09a67ad7

SHA512
923cf8962aa052cc503df2ceeb18cec6f4fc29f26347146e5c0f8317ddf71f5e56724668bfe2840051433a3b83094839449a9af90dc375b23d7f46307b28d8bc

Download Submit
\Users\Admin\AppData\Local\Temp\hgdwc.exe

Filesize
120KB

MD5
b1179c8714525c79f49b3e1cdbb37339

SHA1
7cae6fbe83da4a0a0cd4f090e731d50c7622aa05

SHA256
dbff6c480833bf385c392057177822a2b6c7cc988ec6305c021aacf3e89c0f94

SHA512
e23b43787e81f758e2758febe49c89680dbda8373acf3301b0092339f537c734425724bf13c7f210e8b76541cee68a544f8f8bc8682d24e138fd59815d0774a1

Download Submit
memory/1220-23-0x0000000006BF0000-0x0000000006D28000-memory.dmp

Filesize
1.2MB

Download
memory/1220-19-0x0000000006BF0000-0x0000000006D28000-memory.dmp

Filesize
1.2MB

Download
memory/1236-18-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download
memory/1236-15-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/1236-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1236-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1908-9-0x0000000000190000-0x0000000000192000-memory.dmp

Filesize
8KB

Download
memory/2096-20-0x0000000000F70000-0x0000000000F7A000-memory.dmp

Filesize
40KB

Download
memory/2096-21-0x0000000000F70000-0x0000000000F7A000-memory.dmp

Filesize
40KB

Download
memory/2096-22-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing