xloader | c87415b188828e354d7f87edc4184c94adb757258e79ab5e1e6e200a8c8df52c

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-en-20211014
submitted
22-10-2021 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

940fb7ef71682b6110d7c2d37a92f5df.exe
Size

350KB
MD5

940fb7ef71682b6110d7c2d37a92f5df
SHA1

f399fbab1d1db9c10294a3cb23d71c33947d286b
SHA256

c87415b188828e354d7f87edc4184c94adb757258e79ab5e1e6e200a8c8df52c
SHA512

f49ea7300c4142bc262cce914d1d34e5185fc1080b162dc2d617082e792fa0222ce366af8453ca8f7bc5a454e6a83c93f0be295cc2d9e436458a5d49c3e6e57f

Score

10^/10

xloader bs8f loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

bs8f

http://www.rwilogisticsandbrokerage.com/bs8f/

Decoy

vasilnikov.com

parkate.club

pol360.com

handmadequatang.com

consult-set.com

nourkoki.com

theveganfusspot.com

dreamssail.com

pinpinyouqian.xyz

satellitphonestore.com

yotosunny.com

telosaolympics.com

gogetemm.com

yozotnpasumo2.xyz

avantgardemarket.com

glenndcp.com

dirtydriverz.com

avaui.com

anchoredtheblog.com

marianaoliveiraarquitetura.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1588-56-0x0000000000220000-0x0000000000249000-memory.dmp	xloader

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

320 1588 WerFault.exe 940fb7ef71682b6110d7c2d37a92f5df.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

320 WerFault.exe
320 WerFault.exe
320 WerFault.exe
320 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

320 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 320 WerFault.exe

pid	pid_target	process	target process
320	1588	WerFault.exe	940fb7ef71682b6110d7c2d37a92f5df.exe

pid	process
320	WerFault.exe
320	WerFault.exe
320	WerFault.exe
320	WerFault.exe

pid	process
320	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	320	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

940fb7ef71682b6110d7c2d37a92f5df.exe

description	pid	process	target process
PID 1588 wrote to memory of 320	1588	940fb7ef71682b6110d7c2d37a92f5df.exe	WerFault.exe
PID 1588 wrote to memory of 320	1588	940fb7ef71682b6110d7c2d37a92f5df.exe	WerFault.exe
PID 1588 wrote to memory of 320	1588	940fb7ef71682b6110d7c2d37a92f5df.exe	WerFault.exe
PID 1588 wrote to memory of 320	1588	940fb7ef71682b6110d7c2d37a92f5df.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\940fb7ef71682b6110d7c2d37a92f5df.exe
"C:\Users\Admin\AppData\Local\Temp\940fb7ef71682b6110d7c2d37a92f5df.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 52
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:320

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-57-0x0000000000000000-mapping.dmp

Download
memory/320-58-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/320-59-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1588-55-0x0000000000A08000-0x0000000000A29000-memory.dmp

Filesize
132KB

Download
memory/1588-56-0x0000000000220000-0x0000000000249000-memory.dmp

Filesize
164KB

Download