xloader | babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e

General

Target

babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe
Size

212KB
MD5

4d2dfa95fd5af26aa2c2f44b4f54a73a
SHA1

2dd957be65d8a28140b7a910e8b9da9b695ef281
SHA256

babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e
SHA512

c82d9424722d5a36904963e1cfab6602721495bfde358a8517a5ef7d78d34a2c52546127ff3a4954ce69832e5b936690c9389dd94f7a5598ad37f905ae30c56f

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.hono-idea.com/bncm/

Decoy

reflexinsurance.com

autofilterfinder.com

tonisoftball.com

xl0775.com

ekeela.com

yuukaidojo.com

power199.com

smilingpress.net

ssmnashvillerecordingstudio.com

lagacetarivieramaya.com

reves-ailes.com

unattractiveappearance.cloud

sabinoforshe.com

hiphopnaija.xyz

cxosshatch.com

positivses.com

o0djh.site

yfsdy33.club

eesap.com

nothingbutallgoods.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2036-63-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

Processes:

babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe

pid process

1632 babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe

description	pid	process	target process
PID 1632 set thread context of 2036	1632	babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe	babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exebabda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe

pid	process
1632	babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe
1632	babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe
1632	babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe
1632	babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe
2036	babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe

pid process

1632 babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe

description	pid	process	target process
PID 1632 wrote to memory of 2036	1632	babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe	babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe
PID 1632 wrote to memory of 2036	1632	babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe	babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe
PID 1632 wrote to memory of 2036	1632	babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe	babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe
PID 1632 wrote to memory of 2036	1632	babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe	babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe
PID 1632 wrote to memory of 2036	1632	babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe	babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe

C:\Users\Admin\AppData\Local\Temp\babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe
"C:\Users\Admin\AppData\Local\Temp\babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe
"C:\Users\Admin\AppData\Local\Temp\babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsi4E80.tmp\xm4g7kn3knz8.dll
MD5
01b11ba883e3966751feccccaab081ad

SHA1
c6f907f8bee6c7cd9997b881f775953961b9454e

SHA256
857d06ea32e6156371392551315ae85a5bebf6096e200f4ce68a1e0588ae1cb5

SHA512
5ddbef372d739a7119c31e57d7566d8fcb2ca75708e4b15f6b2b2c4f721c07bfbd413f8346812566700cc5db85683d603d11e51e1bb5be75ab386531d5895817

Download Submit
memory/1632-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/2036-62-0x000000000041CFF0-mapping.dmp

Download
memory/2036-63-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2036-64-0x0000000000730000-0x0000000000A33000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads