xloader | 6b80459293e1eae78fa4efafbc8ddae1fb2bdb73c35c0b1880fdb65d80a49114

Analysis

max time kernel
91s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-05-2022 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b80459293e1eae78fa4efafbc8ddae1fb2bdb73c35c0b1880fdb65d80a49114.exe
Size

260KB
MD5

44a6829e3ee6c5d98fccde99b502f7e2
SHA1

a64dce6694fc716860a52b367317efc095e46756
SHA256

6b80459293e1eae78fa4efafbc8ddae1fb2bdb73c35c0b1880fdb65d80a49114
SHA512

94a51cc57016387bc64107f4b159dd9bfb588fca597bbec9137e94ef832e2a1471a742bd20de3405f2c9cdf4b3b7436ac6889295ba424d678236232d148c26cd

Score

10^/10

xloader be4o loader rat

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

be4o

Decoy

laboratoriobioixcha.com

tictocperushop.online

wild-oceans.com

belaruscountry.com

kicktmall.com

fitcoinweb.tech

mores.one

gogear.one

gxrcksy.com

samrcq.com

impossible-icecream.com

bravesxx.com

bookchainart.com

sleepsolutionsofmboro.com

ocbrazilbusinessclub.com

advisor76.xyz

xitaotech.com

mgsdtytifgf3414.xyz

johnson-brown.net

cr3drt.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1072-134-0x00000000005B0000-0x00000000005DB000-memory.dmp	xloader

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

6b80459293e1eae78fa4efafbc8ddae1fb2bdb73c35c0b1880fdb65d80a49114.exe

description	pid	process	target process
PID 1424 set thread context of 1072	1424	6b80459293e1eae78fa4efafbc8ddae1fb2bdb73c35c0b1880fdb65d80a49114.exe	vbc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4808 1072 WerFault.exe vbc.exe

pid	pid_target	process	target process
4808	1072	WerFault.exe	vbc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6b80459293e1eae78fa4efafbc8ddae1fb2bdb73c35c0b1880fdb65d80a49114.exe

description	pid	process	target process
PID 1424 wrote to memory of 1072	1424	6b80459293e1eae78fa4efafbc8ddae1fb2bdb73c35c0b1880fdb65d80a49114.exe	vbc.exe
PID 1424 wrote to memory of 1072	1424	6b80459293e1eae78fa4efafbc8ddae1fb2bdb73c35c0b1880fdb65d80a49114.exe	vbc.exe
PID 1424 wrote to memory of 1072	1424	6b80459293e1eae78fa4efafbc8ddae1fb2bdb73c35c0b1880fdb65d80a49114.exe	vbc.exe
PID 1424 wrote to memory of 1072	1424	6b80459293e1eae78fa4efafbc8ddae1fb2bdb73c35c0b1880fdb65d80a49114.exe	vbc.exe
PID 1424 wrote to memory of 1072	1424	6b80459293e1eae78fa4efafbc8ddae1fb2bdb73c35c0b1880fdb65d80a49114.exe	vbc.exe
PID 1424 wrote to memory of 1072	1424	6b80459293e1eae78fa4efafbc8ddae1fb2bdb73c35c0b1880fdb65d80a49114.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\6b80459293e1eae78fa4efafbc8ddae1fb2bdb73c35c0b1880fdb65d80a49114.exe
"C:\Users\Admin\AppData\Local\Temp\6b80459293e1eae78fa4efafbc8ddae1fb2bdb73c35c0b1880fdb65d80a49114.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 184
3⤵
- Program crash
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1072 -ip 1072
1⤵
PID:4516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1072-132-0x0000000000000000-mapping.dmp

Download
memory/1072-133-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1072-134-0x00000000005B0000-0x00000000005DB000-memory.dmp

Filesize
172KB

Download
memory/1424-130-0x0000000000C10000-0x0000000000C56000-memory.dmp

Filesize
280KB

Download
memory/1424-131-0x0000000005C00000-0x00000000061A4000-memory.dmp

Filesize
5.6MB

Download