xloader | 8a968e412a3f5212e36a69d429dc0a2be143e70ad6ffe7c2b4a9bb4ab19ca045

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5aa56b1df29b386fdc8ab5b37b5c9b6d82ce07ada2d7dfa72e032ed85bc4989.exe
Size

585KB
MD5

dde77a728a1b702ff6a33abbae4355e7
SHA1

04787344a6c90238784e02ba7163c05d11a9b9be
SHA256

b5aa56b1df29b386fdc8ab5b37b5c9b6d82ce07ada2d7dfa72e032ed85bc4989
SHA512

0445494258b61c3f2235bd6bf0bf33dbd627f247eb27973c4b706385c952d8d718499c9aaad2899d11944e821bc45f64928ccb04ad18e9dbeee7b4f71243de76
SSDEEP

12288:rXe9PPlowWX0t6mOQwg1Qd15CcYk0We10p5WViXp0VFarPjvBf+rn+4:yhloDX0XOf48+Y6VFINmF

Score

10^/10

xloader cttb discovery loader rat upx

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

cttb

Decoy

annarbor-weeddelivery.com

capquangept.com

mind.srl

blazingboard.com

wecallnzhome.com

moritamorio.com

jyxq.net

dabanse.com

luma-dating.com

2020won.com

lucydemo63.com

misskarenenglisheacher.com

tuckersucks.com

northeastprivacy.com

whipitinventions.com

casino-r6.club

asmrempowerment.com

topkids.asia

mattressmonth.com

antivirus-zastita.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2356-9-0x0000000000400000-0x0000000000428000-memory.dmp	xloader

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2344-10-0x0000000000400000-0x0000000000554000-memory.dmp	autoit_exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2344-0-0x0000000000400000-0x0000000000554000-memory.dmp	upx
behavioral1/memory/2344-10-0x0000000000400000-0x0000000000554000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5aa56b1df29b386fdc8ab5b37b5c9b6d82ce07ada2d7dfa72e032ed85bc4989.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2344	b5aa56b1df29b386fdc8ab5b37b5c9b6d82ce07ada2d7dfa72e032ed85bc4989.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2356	2344	b5aa56b1df29b386fdc8ab5b37b5c9b6d82ce07ada2d7dfa72e032ed85bc4989.exe	31
PID 2344 wrote to memory of 2356	2344	b5aa56b1df29b386fdc8ab5b37b5c9b6d82ce07ada2d7dfa72e032ed85bc4989.exe	31
PID 2344 wrote to memory of 2356	2344	b5aa56b1df29b386fdc8ab5b37b5c9b6d82ce07ada2d7dfa72e032ed85bc4989.exe	31
PID 2344 wrote to memory of 2356	2344	b5aa56b1df29b386fdc8ab5b37b5c9b6d82ce07ada2d7dfa72e032ed85bc4989.exe	31
PID 2344 wrote to memory of 2356	2344	b5aa56b1df29b386fdc8ab5b37b5c9b6d82ce07ada2d7dfa72e032ed85bc4989.exe	31

C:\Users\Admin\AppData\Local\Temp\b5aa56b1df29b386fdc8ab5b37b5c9b6d82ce07ada2d7dfa72e032ed85bc4989.exe
"C:\Users\Admin\AppData\Local\Temp\b5aa56b1df29b386fdc8ab5b37b5c9b6d82ce07ada2d7dfa72e032ed85bc4989.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\b5aa56b1df29b386fdc8ab5b37b5c9b6d82ce07ada2d7dfa72e032ed85bc4989.exe
  "C:\Users\Admin\AppData\Local\Temp\b5aa56b1df29b386fdc8ab5b37b5c9b6d82ce07ada2d7dfa72e032ed85bc4989.exe"
  2⤵
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lohcziujilty

Filesize
216KB

MD5
2ea229f3ca45ff7bc956cc5fccfa2a05

SHA1
ab59a4d9c51fe82a597448d3bcf00032b70ca771

SHA256
83dbc3a5ddac892e433d25b4789fb80a78619b07423fdce2b25d02312c4ae605

SHA512
e8bfed7d85c44ba0224618a3db66be8d1bfa5a66fc35db0f8d485b3815df35245e32e167129d1d4317166e20f1f3beef9ac0c2f38745959033a4600a87992c27

Download Submit
memory/2344-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2344-7-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/2344-8-0x0000000000990000-0x0000000000992000-memory.dmp

Filesize
8KB

Download
memory/2344-10-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2356-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download