xloader | 62d4b809036b03226c7b5c36b6126d97cc1ecf915200146391bf05e74c58e874

Analysis

max time kernel
112s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-05-2022 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INQNEW#PO24052022.qdf.exe
Size

276KB
MD5

ebb0fecde4a2e88c63c27c82810113b5
SHA1

c5658bec21ea4dfe2d0a66089d2d18bf081c778f
SHA256

df1b0eef4f32a5c2527691175375962957db71bc913d37f6e71150e599b2b31c
SHA512

05960c717d5f30ca5b1424a3a2806c2a7a00b6ec4a3949bdb7db4d7f5fd885119cf18cbb752537ddcb7bc277ecf683d060c40baee3ac6bdb6f76cb5a50598ad8

Score

10^/10

xloader be4o loader rat

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

be4o

Decoy

laboratoriobioixcha.com

tictocperushop.online

wild-oceans.com

belaruscountry.com

kicktmall.com

fitcoinweb.tech

mores.one

gogear.one

gxrcksy.com

samrcq.com

impossible-icecream.com

bravesxx.com

bookchainart.com

sleepsolutionsofmboro.com

ocbrazilbusinessclub.com

advisor76.xyz

xitaotech.com

mgsdtytifgf3414.xyz

johnson-brown.net

cr3drt.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4928-134-0x0000000000F40000-0x0000000000F6B000-memory.dmp	xloader

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

INQNEW#PO24052022.qdf.exe

description pid process target process

PID 912 set thread context of 4928 912 INQNEW#PO24052022.qdf.exe vbc.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2412 4928 WerFault.exe vbc.exe
2156 4928 WerFault.exe vbc.exe

description	pid	process	target process
PID 912 set thread context of 4928	912	INQNEW#PO24052022.qdf.exe	vbc.exe

pid	pid_target	process	target process
2412	4928	WerFault.exe	vbc.exe
2156	4928	WerFault.exe	vbc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

INQNEW#PO24052022.qdf.exe

description	pid	process	target process
PID 912 wrote to memory of 4928	912	INQNEW#PO24052022.qdf.exe	vbc.exe
PID 912 wrote to memory of 4928	912	INQNEW#PO24052022.qdf.exe	vbc.exe
PID 912 wrote to memory of 4928	912	INQNEW#PO24052022.qdf.exe	vbc.exe
PID 912 wrote to memory of 4928	912	INQNEW#PO24052022.qdf.exe	vbc.exe
PID 912 wrote to memory of 4928	912	INQNEW#PO24052022.qdf.exe	vbc.exe
PID 912 wrote to memory of 4928	912	INQNEW#PO24052022.qdf.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\INQNEW#PO24052022.qdf.exe
"C:\Users\Admin\AppData\Local\Temp\INQNEW#PO24052022.qdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 180
3⤵
- Program crash
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 204
3⤵
- Program crash
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4928 -ip 4928
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4928 -ip 4928
1⤵
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/912-130-0x0000000000AC0000-0x0000000000B0A000-memory.dmp

Filesize
296KB

Download
memory/912-131-0x0000000005970000-0x0000000005F14000-memory.dmp

Filesize
5.6MB

Download
memory/4928-132-0x0000000000000000-mapping.dmp

Download
memory/4928-133-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4928-134-0x0000000000F40000-0x0000000000F6B000-memory.dmp

Filesize
172KB

Download