xloader | b4fc77c70794670f21a4c4fbc3b608589cef7b9d98acadf9b0a956404f6ca0be

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/fqbakxndgg.dll
Size

27KB
MD5

0ec0b6676a0c830fa1d12a82e0e2ccfc
SHA1

61edae0d4bb19dd31b9ed2ed4d76c99b4f04ebe2
SHA256

c168119aced865f94f0856f3d7419f33142ffe0e8f90c94205d5707b60710617
SHA512

ea5496d61a19ac03a49788d5cc7ae18603ec728c153b9c580f6faa7cfc850c297f9978429627e765467d8130409ca25ce041f0f42065d14fe53c6ef69943e574
SSDEEP

768:OoFu+rc9RGl6YgSs30bktAkra37Wd1+rNHBYD3rHDoMgM3:JhrUGlLAqwaM1C6D3rSA

Score

10^/10

xloader b2c0 loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b2c0

Decoy

bjyxszd520.xyz

hsvfingerprinting.com

elliotpioneer.com

bf396.com

chinaopedia.com

6233v.com

shopeuphoricapparel.com

loccssol.store

truefictionpictures.com

playstarexch.com

peruviancoffee.store

shobhajoshi.com

philme.net

avito-rules.com

independencehomecenters.com

atp-cayenne.com

invetorsbank.com

sasanos.com

scentfreebnb.com

catfuid.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral3/memory/2480-3-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral3/memory/2480-9-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral3/memory/2480-14-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2880 set thread context of 2480	2880	rundll32.exe	29
PID 2480 set thread context of 1200	2480	rundll32.exe	21
PID 2480 set thread context of 1200	2480	rundll32.exe	21

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2884	2732	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2480	rundll32.exe
2480	rundll32.exe
2480	rundll32.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2480	rundll32.exe
2480	rundll32.exe
2480	rundll32.exe
2480	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	rundll32.exe
Token: SeShutdownPrivilege	1200	Explorer.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 2880	384	rundll32.exe	28
PID 384 wrote to memory of 2880	384	rundll32.exe	28
PID 384 wrote to memory of 2880	384	rundll32.exe	28
PID 384 wrote to memory of 2880	384	rundll32.exe	28
PID 384 wrote to memory of 2880	384	rundll32.exe	28
PID 384 wrote to memory of 2880	384	rundll32.exe	28
PID 384 wrote to memory of 2880	384	rundll32.exe	28
PID 2880 wrote to memory of 2480	2880	rundll32.exe	29
PID 2880 wrote to memory of 2480	2880	rundll32.exe	29
PID 2880 wrote to memory of 2480	2880	rundll32.exe	29
PID 2880 wrote to memory of 2480	2880	rundll32.exe	29
PID 2880 wrote to memory of 2480	2880	rundll32.exe	29
PID 2880 wrote to memory of 2480	2880	rundll32.exe	29
PID 2880 wrote to memory of 2480	2880	rundll32.exe	29
PID 2880 wrote to memory of 2480	2880	rundll32.exe	29
PID 2880 wrote to memory of 2480	2880	rundll32.exe	29
PID 2880 wrote to memory of 2480	2880	rundll32.exe	29
PID 2480 wrote to memory of 2732	2480	rundll32.exe	30
PID 2480 wrote to memory of 2732	2480	rundll32.exe	30
PID 2480 wrote to memory of 2732	2480	rundll32.exe	30
PID 2480 wrote to memory of 2732	2480	rundll32.exe	30
PID 2480 wrote to memory of 2732	2480	rundll32.exe	30
PID 2480 wrote to memory of 2732	2480	rundll32.exe	30
PID 2480 wrote to memory of 2732	2480	rundll32.exe	30
PID 2732 wrote to memory of 2884	2732	msiexec.exe	31
PID 2732 wrote to memory of 2884	2732	msiexec.exe	31
PID 2732 wrote to memory of 2884	2732	msiexec.exe	31
PID 2732 wrote to memory of 2884	2732	msiexec.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1200
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\fqbakxndgg.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\fqbakxndgg.dll,#1
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\fqbakxndgg.dll,#1
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\SysWOW64\msiexec.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 268
        6⤵
        Program crash
        
        PID:2884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1200-8-0x0000000004000000-0x0000000004200000-memory.dmp

Filesize
2.0MB

Download
memory/1200-16-0x0000000005000000-0x00000000050BE000-memory.dmp

Filesize
760KB

Download
memory/1200-11-0x0000000005150000-0x0000000005290000-memory.dmp

Filesize
1.2MB

Download
memory/2480-15-0x0000000000250000-0x0000000000261000-memory.dmp

Filesize
68KB

Download
memory/2480-6-0x0000000002160000-0x0000000002463000-memory.dmp

Filesize
3.0MB

Download
memory/2480-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2480-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2480-10-0x00000000001D0000-0x00000000001E1000-memory.dmp

Filesize
68KB

Download
memory/2480-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2732-17-0x00000000004A0000-0x00000000004B4000-memory.dmp

Filesize
80KB

Download
memory/2732-20-0x00000000004A0000-0x00000000004B4000-memory.dmp

Filesize
80KB

Download
memory/2732-18-0x00000000004A0000-0x00000000004B4000-memory.dmp

Filesize
80KB

Download
memory/2880-5-0x0000000074F40000-0x0000000074F4A000-memory.dmp

Filesize
40KB

Download
memory/2880-1-0x0000000074F40000-0x0000000074F4A000-memory.dmp

Filesize
40KB

Download
memory/2880-0-0x0000000074F50000-0x0000000074F5A000-memory.dmp

Filesize
40KB

Download
memory/2880-4-0x0000000074F50000-0x0000000074F57000-memory.dmp

Filesize
28KB

Download
memory/2880-2-0x0000000074F40000-0x0000000074F4A000-memory.dmp

Filesize
40KB

Download