xloader | 4fe26ebfc5412205231040de3bf8f865da141f2c9c5c2c809e4bf6ceced43e55

General

Target

triage_dropped_file.exe
Size

798KB
MD5

fa6cb9677ff2254615166747668a72ed
SHA1

e784bfd8f5f4514569205bb535ed8bc36ab47f28
SHA256

4fe26ebfc5412205231040de3bf8f865da141f2c9c5c2c809e4bf6ceced43e55
SHA512

e6e05225ecbf3e0157bc5b55980c17a7e9f61d36aadb172ae753b140c69b10f3e58d3a020e4225a25596b7aae586409e7c59e4ab2046e134ce5ccfc281484617

Score

10^/10

xloader be4o loader rat

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

be4o

Decoy

laboratoriobioixcha.com

tictocperushop.online

wild-oceans.com

belaruscountry.com

kicktmall.com

fitcoinweb.tech

mores.one

gogear.one

gxrcksy.com

samrcq.com

impossible-icecream.com

bravesxx.com

bookchainart.com

sleepsolutionsofmboro.com

ocbrazilbusinessclub.com

advisor76.xyz

xitaotech.com

mgsdtytifgf3414.xyz

johnson-brown.net

cr3drt.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/964-63-0x000000000041F270-mapping.dmp	xloader

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

triage_dropped_file.exe

description pid process target process

PID 376 set thread context of 964 376 triage_dropped_file.exe vbc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1280 964 WerFault.exe vbc.exe

description	pid	process	target process
PID 376 set thread context of 964	376	triage_dropped_file.exe	vbc.exe

pid	pid_target	process	target process
1280	964	WerFault.exe	vbc.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

triage_dropped_file.exevbc.exe

description	pid	process	target process
PID 376 wrote to memory of 964	376	triage_dropped_file.exe	vbc.exe
PID 376 wrote to memory of 964	376	triage_dropped_file.exe	vbc.exe
PID 376 wrote to memory of 964	376	triage_dropped_file.exe	vbc.exe
PID 376 wrote to memory of 964	376	triage_dropped_file.exe	vbc.exe
PID 376 wrote to memory of 964	376	triage_dropped_file.exe	vbc.exe
PID 376 wrote to memory of 964	376	triage_dropped_file.exe	vbc.exe
PID 964 wrote to memory of 1280	964	vbc.exe	WerFault.exe
PID 964 wrote to memory of 1280	964	vbc.exe	WerFault.exe
PID 964 wrote to memory of 1280	964	vbc.exe	WerFault.exe
PID 964 wrote to memory of 1280	964	vbc.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe
"C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 144
3⤵
- Program crash
PID:1280

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/376-64-0x000007FEF4640000-0x000007FEF5BC8000-memory.dmp

Filesize
21.5MB

Download
memory/376-61-0x000007FEF3810000-0x000007FEF39F8000-memory.dmp

Filesize
1.9MB

Download
memory/376-68-0x000007FEEE0D0000-0x000007FEEF01D000-memory.dmp

Filesize
15.3MB

Download
memory/376-67-0x000007FEF2DC0000-0x000007FEF3810000-memory.dmp

Filesize
10.3MB

Download
memory/376-59-0x000007FEF4640000-0x000007FEF5BC8000-memory.dmp

Filesize
21.5MB

Download
memory/376-60-0x000007FEF3A00000-0x000007FEF463F000-memory.dmp

Filesize
12.2MB

Download
memory/376-55-0x00000000006C0000-0x00000000006F6000-memory.dmp

Filesize
216KB

Download
memory/376-54-0x0000000000030000-0x00000000000FC000-memory.dmp

Filesize
816KB

Download
memory/376-66-0x000007FEEE0D0000-0x000007FEEF01D000-memory.dmp

Filesize
15.3MB

Download
memory/964-63-0x000000000041F270-mapping.dmp

Download
memory/964-62-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/964-57-0x0000000000080000-0x00000000000AB000-memory.dmp

Filesize
172KB

Download
memory/964-56-0x0000000000080000-0x00000000000AB000-memory.dmp

Filesize
172KB

Download
memory/1280-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing