xloader | f6bd2853a8346c75b10f30184adf3a12ddcc7b25dac4a1b0a5e281179b1e1322

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c737a6befc4bba6c1ddba35d396f9d6.exe
Size

261KB
MD5

0c737a6befc4bba6c1ddba35d396f9d6
SHA1

e8e1dc5a5df9cc353f5a8be32dd19eef38a5b909
SHA256

f6bd2853a8346c75b10f30184adf3a12ddcc7b25dac4a1b0a5e281179b1e1322
SHA512

57e70330eb5f07a359bb2889fd98c76009502e29e76ed7d27615b7e031bfe0a536bbc7b9a446ce35ec37a9abdcfa80bbfe653a67fa631408c28c2b78964d5014
SSDEEP

6144:d/gFDMLc/CNihEGpptdMN2/CS/jyjLndnqPU5IJFGTP:dMDMoKkh5/I8CS/jyvA8CJFGTP

Score

10^/10

xloader b6a4 loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

b6a4

Decoy

reviewsresolutions.com

binhminhgardenshophouse.com

nebulacom.com

kadhambaristudio.com

viltoom.club

supmomma.com

tjszxddc.com

darlingmemories.com

hyperultrapure.com

vibembrio.com

reallycoolmask.com

cumbukita.com

brian-newby.com

abstractaccessories.com

marykinky.com

minnesotareversemtgloans.com

prasetlement.com

xplpgi.com

xn--gdask-y7a.com

uababaseball.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2028-3-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

0c737a6befc4bba6c1ddba35d396f9d6.exe

description pid process target process

PID 2140 set thread context of 2028 2140 0c737a6befc4bba6c1ddba35d396f9d6.exe 0c737a6befc4bba6c1ddba35d396f9d6.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0c737a6befc4bba6c1ddba35d396f9d6.exe

pid process

2028 0c737a6befc4bba6c1ddba35d396f9d6.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

0c737a6befc4bba6c1ddba35d396f9d6.exe

pid process

2140 0c737a6befc4bba6c1ddba35d396f9d6.exe

description	pid	process	target process
PID 2140 set thread context of 2028	2140	0c737a6befc4bba6c1ddba35d396f9d6.exe	0c737a6befc4bba6c1ddba35d396f9d6.exe

pid	process
2028	0c737a6befc4bba6c1ddba35d396f9d6.exe

pid	process
2140	0c737a6befc4bba6c1ddba35d396f9d6.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

0c737a6befc4bba6c1ddba35d396f9d6.exe

description	pid	process	target process
PID 2140 wrote to memory of 2028	2140	0c737a6befc4bba6c1ddba35d396f9d6.exe	0c737a6befc4bba6c1ddba35d396f9d6.exe
PID 2140 wrote to memory of 2028	2140	0c737a6befc4bba6c1ddba35d396f9d6.exe	0c737a6befc4bba6c1ddba35d396f9d6.exe
PID 2140 wrote to memory of 2028	2140	0c737a6befc4bba6c1ddba35d396f9d6.exe	0c737a6befc4bba6c1ddba35d396f9d6.exe
PID 2140 wrote to memory of 2028	2140	0c737a6befc4bba6c1ddba35d396f9d6.exe	0c737a6befc4bba6c1ddba35d396f9d6.exe
PID 2140 wrote to memory of 2028	2140	0c737a6befc4bba6c1ddba35d396f9d6.exe	0c737a6befc4bba6c1ddba35d396f9d6.exe

C:\Users\Admin\AppData\Local\Temp\0c737a6befc4bba6c1ddba35d396f9d6.exe
"C:\Users\Admin\AppData\Local\Temp\0c737a6befc4bba6c1ddba35d396f9d6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\Temp\0c737a6befc4bba6c1ddba35d396f9d6.exe
"C:\Users\Admin\AppData\Local\Temp\0c737a6befc4bba6c1ddba35d396f9d6.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2028

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2028-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2028-4-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/2140-1-0x00000000001F0000-0x00000000002F0000-memory.dmp

Filesize
1024KB

Download
memory/2140-2-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download