xloader | 99ce15e2fc458d02db44d648a4b88bfff0043131b392475ad314a1f3dd72245f | Triage

Sharing

General

Target

03052021.xlsx
Size

2.7MB
Sample

210305-3cl3tzqy86
MD5

7d4798dccbd61d8cebb3f9541139276a
SHA1

40a3a4635f797e1436414700a3f6611aa9d7abd4
SHA256

99ce15e2fc458d02db44d648a4b88bfff0043131b392475ad314a1f3dd72245f
SHA512

0cfa1b86d4ba2f5c42778a097b145440cc35a124bf68796d882100cd89ea5b3500e95be3be3678d8b8cca1087731d8dd8f7beae339e3cf379e94c9812250277a

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

C2

http://www.rizrvd.com/bw82/

Decoy

fundamentaliemef.com

gallerybrows.com

leadeligey.com

octoberx2.online

climaxnovels.com

gdsjgf.com

curateherstories.com

blacksailus.com

yjpps.com

gmobilet.com

fcoins.club

foreverlive2027.com

healthyfifties.com

wmarquezy.com

housebulb.com

thebabyfriendly.com

primajayaintiperkasa.com

learnplaychess.com

chrisbubser.digital

xn--avenr-wsa.com

Targets

- Target
  
  03052021.xlsx
- Size
  
  2.7MB
- MD5
  
  7d4798dccbd61d8cebb3f9541139276a
- SHA1
  
  40a3a4635f797e1436414700a3f6611aa9d7abd4
- SHA256
  
  99ce15e2fc458d02db44d648a4b88bfff0043131b392475ad314a1f3dd72245f
- SHA512
  
  0cfa1b86d4ba2f5c42778a097b145440cc35a124bf68796d882100cd89ea5b3500e95be3be3678d8b8cca1087731d8dd8f7beae339e3cf379e94c9812250277a
Score

10^/10

xloader loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderloaderrat

behavioral2