xloader

General

Target

DHL Shipping doc & Shipment tracking details.docx
Size

10KB
Sample

210408-9h7wsybb7e
MD5

30909a9932c77fb923a96b1b090b4806
SHA1

2bbe988290a47de63763796db6a39de0e268a5cf
SHA256

23e650ad3f02ea9f4a402bf5e719d745b7c307c34fd8915045c79d51aab48741
SHA512

3a42c4e4384bed6fe50d3ac3cc02d65108b315ae899abea355792d2f1063be415d80aa1786bac9053a5b7a5f622491fcc5e53cb8c222c252a430b9af0c034836

Score

10^/10

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/................................................................................dot

Extracted

Family

xloader

Version

2.3

C2

http://www.scott-re.online/nnmd/

Decoy

bongwater.life

regalparkllc.com

gyanankuram.com

quehaydecenarhoy.com

israeldigitalblog.net

gatewaygaurdians.com

krphp.com

domentemenegi47.com

fjsibao.com

yetbor.com

goldenvalueable.com

finalexam-thegame.com

buyeverythingforbaby.com

phillydroneservices.com

xn--kck4cd0r.net

suns-brothers.com

xn--80aaxkmix.xn--p1acf

pjsgsc.com

7985699.com

blackmantech.fitness

Targets

- Target
  
  DHL Shipping doc & Shipment tracking details.docx
- Size
  
  10KB
- MD5
  
  30909a9932c77fb923a96b1b090b4806
- SHA1
  
  2bbe988290a47de63763796db6a39de0e268a5cf
- SHA256
  
  23e650ad3f02ea9f4a402bf5e719d745b7c307c34fd8915045c79d51aab48741
- SHA512
  
  3a42c4e4384bed6fe50d3ac3cc02d65108b315ae899abea355792d2f1063be415d80aa1786bac9053a5b7a5f622491fcc5e53cb8c222c252a430b9af0c034836
Score

10^/10

xloader loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Blocklisted process makes network request
- Executes dropped EXE
- Abuses OpenXML format to download file from external location
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2