xloader | a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564

Analysis

max time kernel
96s
max time network
34s
platform
windows7_x64
resource
win7v20210408
submitted
17-09-2021 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

866d1aeb69daac5e6e4dda938edf8d26.exe
Size

430KB
MD5

866d1aeb69daac5e6e4dda938edf8d26
SHA1

184f3ae0508d5004a9e3fe981cbc830092d41ed7
SHA256

a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564
SHA512

e488ee1b612c683c72c9ce7d33727d1f6daa6f1bdb599b9f77fd2cf6f0b7122d650a4347bfb836bf4b5e111c92057ecfb91fd517821c32cf7b1fc246ec8bfcee

Score

10^/10

xloader b6a4 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

b6a4

http://www.helpmovingandstorage.com/b6a4/

Decoy

gr2future.com

asteroid.finance

skoba-plast.com

rnerfrfw5z3ki.net

thesmartroadtoretirement.com

avisdrummondhomes.com

banban365.net

profesyonelkampcadiri.net

royalloanhs.com

yulujy.com

xn--naqejahan-n3b.com

msalee.net

dollyvee.com

albertagamehawkersclub.com

cbspecialists.com

findingforeverrealty.com

mrtireshop.com

wadamasanari.com

growtechinfo.com

qipai039.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/268-61-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

866d1aeb69daac5e6e4dda938edf8d26.exe

description pid process target process

PID 2044 set thread context of 268 2044 866d1aeb69daac5e6e4dda938edf8d26.exe 866d1aeb69daac5e6e4dda938edf8d26.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

866d1aeb69daac5e6e4dda938edf8d26.exe

pid process

268 866d1aeb69daac5e6e4dda938edf8d26.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

866d1aeb69daac5e6e4dda938edf8d26.exe

pid process

2044 866d1aeb69daac5e6e4dda938edf8d26.exe

description	pid	process	target process
PID 2044 set thread context of 268	2044	866d1aeb69daac5e6e4dda938edf8d26.exe	866d1aeb69daac5e6e4dda938edf8d26.exe

pid	process
268	866d1aeb69daac5e6e4dda938edf8d26.exe

pid	process
2044	866d1aeb69daac5e6e4dda938edf8d26.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

866d1aeb69daac5e6e4dda938edf8d26.exe

description	pid	process	target process
PID 2044 wrote to memory of 268	2044	866d1aeb69daac5e6e4dda938edf8d26.exe	866d1aeb69daac5e6e4dda938edf8d26.exe
PID 2044 wrote to memory of 268	2044	866d1aeb69daac5e6e4dda938edf8d26.exe	866d1aeb69daac5e6e4dda938edf8d26.exe
PID 2044 wrote to memory of 268	2044	866d1aeb69daac5e6e4dda938edf8d26.exe	866d1aeb69daac5e6e4dda938edf8d26.exe
PID 2044 wrote to memory of 268	2044	866d1aeb69daac5e6e4dda938edf8d26.exe	866d1aeb69daac5e6e4dda938edf8d26.exe
PID 2044 wrote to memory of 268	2044	866d1aeb69daac5e6e4dda938edf8d26.exe	866d1aeb69daac5e6e4dda938edf8d26.exe

C:\Users\Admin\AppData\Local\Temp\866d1aeb69daac5e6e4dda938edf8d26.exe
"C:\Users\Admin\AppData\Local\Temp\866d1aeb69daac5e6e4dda938edf8d26.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\866d1aeb69daac5e6e4dda938edf8d26.exe
"C:\Users\Admin\AppData\Local\Temp\866d1aeb69daac5e6e4dda938edf8d26.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:268

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-59-0x000000000041D0B0-mapping.dmp

Download
memory/268-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/268-62-0x0000000000C70000-0x0000000000F73000-memory.dmp

Filesize
3.0MB

Download
memory/2044-60-0x0000000000290000-0x0000000000292000-memory.dmp

Filesize
8KB

Download