xloader | c9331df750653afe477b1dcd6663a80a6b579af04fc4dd50ffefd1c0a12518a3

Analysis

max time kernel
15s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3b05407428f3bb90350615cd39a4e637a6fbc4e_1637341810240.exe
Size

372KB
MD5

c447eb1a63e1feaff9de0c7a6667f9e0
SHA1

b3b05407428f3bb90350615cd39a4e637a6fbc4e
SHA256

beb008bb29bd0fc62b33e2961e016be1677f9cb78334e211bd53b21837f250b2
SHA512

26b8916630e5a8dce5a6e1d2794a0e42dc144ed460458829d45bb5797b254f0dce1060b433d2c9b7085d6c4562ba3d1fca35a6c47b15e0972881d7c131f42317
SSDEEP

6144:dGiaE286EZe/iYO2+EmftF6QrrsZlzWVpMW0resQUb5nXSWb0OiAEWNI:oE286T/iYO2+Df3xEZlzspkHJXSZ4EQI

Score

10^/10

xloader ycgc discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ycgc

Decoy

radharanipestcontrol.com

danye-wang.net

thgn3.xyz

clasdcharts.com

eighty20consults.com

rivian.email

paulapossetto.com

killwinesports.com

tgfwatches.com

help-sources.com

dazzlingbad.info

sgpropertymanagementllc.net

crokobos.info

pendekarherbshq.com

beheld3d.art

voipwallet.com

solideo.fail

cooperativecareitalia.com

sunlandstreet.com

carandmoore.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/1476-9-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Loads dropped DLL 1 IoCs

pid	Process
2548	b3b05407428f3bb90350615cd39a4e637a6fbc4e_1637341810240.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2548 set thread context of 1476	2548	b3b05407428f3bb90350615cd39a4e637a6fbc4e_1637341810240.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3b05407428f3bb90350615cd39a4e637a6fbc4e_1637341810240.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1476	b3b05407428f3bb90350615cd39a4e637a6fbc4e_1637341810240.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1476	2548	b3b05407428f3bb90350615cd39a4e637a6fbc4e_1637341810240.exe	30
PID 2548 wrote to memory of 1476	2548	b3b05407428f3bb90350615cd39a4e637a6fbc4e_1637341810240.exe	30
PID 2548 wrote to memory of 1476	2548	b3b05407428f3bb90350615cd39a4e637a6fbc4e_1637341810240.exe	30
PID 2548 wrote to memory of 1476	2548	b3b05407428f3bb90350615cd39a4e637a6fbc4e_1637341810240.exe	30
PID 2548 wrote to memory of 1476	2548	b3b05407428f3bb90350615cd39a4e637a6fbc4e_1637341810240.exe	30
PID 2548 wrote to memory of 1476	2548	b3b05407428f3bb90350615cd39a4e637a6fbc4e_1637341810240.exe	30
PID 2548 wrote to memory of 1476	2548	b3b05407428f3bb90350615cd39a4e637a6fbc4e_1637341810240.exe	30

C:\Users\Admin\AppData\Local\Temp\b3b05407428f3bb90350615cd39a4e637a6fbc4e_1637341810240.exe
"C:\Users\Admin\AppData\Local\Temp\b3b05407428f3bb90350615cd39a4e637a6fbc4e_1637341810240.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\b3b05407428f3bb90350615cd39a4e637a6fbc4e_1637341810240.exe
  "C:\Users\Admin\AppData\Local\Temp\b3b05407428f3bb90350615cd39a4e637a6fbc4e_1637341810240.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nse93F7.tmp\fbban.dll

Filesize
94KB

MD5
f54a3744a8bc9947fc4f01f9595010e3

SHA1
b2e5c87d16cf29b55753297fefd6b7bab4cc77b0

SHA256
a5cf6cd784167eab65e5c2b9a57d3df96ac0d89c2ddd0743674471e42100dcfd

SHA512
9ff89e8b5234ba8fb9887fc589d4b6b334211058d9cc252a3f382d56783ea04d8524d54bc6f131bc7ad3246cd6bad95564086a6ae90042a42d441ac25a93dcf8

Download Submit
memory/1476-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2548-7-0x0000000010015000-0x0000000010017000-memory.dmp

Filesize
8KB

Download