xloader | fef4ff3d7065c797a62443c99e5ea91d4d1f2c421726b24df6571d8559dffdb7

Analysis

max time kernel
74s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

897201ea7e47403cf8b8431ab9a59bcee9eb559ecba43a2224852cbd5b75e580.exe
Size

737KB
MD5

7b3930f320bc8e3a4518b0900ff713fd
SHA1

49f2502e24107b9e9a55537d44fd245008a1d743
SHA256

897201ea7e47403cf8b8431ab9a59bcee9eb559ecba43a2224852cbd5b75e580
SHA512

ddea25208a5086f81d4378ddeb1cc5d6713a83607099d0b809a403770e558a9096913faa9014899da1cd2644d031c692fa2b235999e6eb20ba67859178999b26
SSDEEP

12288:L5g5YHfdVPIcz8CSZJVyiVp/UlFrMNf9vqDgjieZUks+EKVFtc6:b1l7zIZGiVpcT8f9vq8jiaUkiK

Score

10^/10

xloader bh9c discovery loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

bh9c

Decoy

javhdxx.net

merakii.art

vagonorientexpress.com

charliethetortoise.com

hgspw.net

creciendoconvos.com

duppercaptat.quest

threattotal.info

heidecide.xyz

beverageplug.com

clothandcauldron.net

elbach.store

dtassistant.com

miumellow.com

militarydefensecampbase.com

backratz.com

fuzzyfrendz.com

usa-visa-open.space

moon9.xyz

staynolive.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
Xloader family
xloader

Xloader payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2496-14-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 2496	2116	897201ea7e47403cf8b8431ab9a59bcee9eb559ecba43a2224852cbd5b75e580.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	897201ea7e47403cf8b8431ab9a59bcee9eb559ecba43a2224852cbd5b75e580.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2496	897201ea7e47403cf8b8431ab9a59bcee9eb559ecba43a2224852cbd5b75e580.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2496	2116	897201ea7e47403cf8b8431ab9a59bcee9eb559ecba43a2224852cbd5b75e580.exe	30
PID 2116 wrote to memory of 2496	2116	897201ea7e47403cf8b8431ab9a59bcee9eb559ecba43a2224852cbd5b75e580.exe	30
PID 2116 wrote to memory of 2496	2116	897201ea7e47403cf8b8431ab9a59bcee9eb559ecba43a2224852cbd5b75e580.exe	30
PID 2116 wrote to memory of 2496	2116	897201ea7e47403cf8b8431ab9a59bcee9eb559ecba43a2224852cbd5b75e580.exe	30
PID 2116 wrote to memory of 2496	2116	897201ea7e47403cf8b8431ab9a59bcee9eb559ecba43a2224852cbd5b75e580.exe	30
PID 2116 wrote to memory of 2496	2116	897201ea7e47403cf8b8431ab9a59bcee9eb559ecba43a2224852cbd5b75e580.exe	30
PID 2116 wrote to memory of 2496	2116	897201ea7e47403cf8b8431ab9a59bcee9eb559ecba43a2224852cbd5b75e580.exe	30

C:\Users\Admin\AppData\Local\Temp\897201ea7e47403cf8b8431ab9a59bcee9eb559ecba43a2224852cbd5b75e580.exe
"C:\Users\Admin\AppData\Local\Temp\897201ea7e47403cf8b8431ab9a59bcee9eb559ecba43a2224852cbd5b75e580.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\897201ea7e47403cf8b8431ab9a59bcee9eb559ecba43a2224852cbd5b75e580.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2116-6-0x0000000005030000-0x00000000050B2000-memory.dmp

Filesize
520KB

Download
memory/2116-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/2116-2-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2116-3-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/2116-4-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/2116-5-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2116-1-0x00000000013D0000-0x000000000148E000-memory.dmp

Filesize
760KB

Download
memory/2116-7-0x0000000000690000-0x00000000006C0000-memory.dmp

Filesize
192KB

Download
memory/2116-15-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2496-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2496-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-16-0x0000000000800000-0x0000000000B03000-memory.dmp

Filesize
3.0MB

Download