xloader

General

Target

RFQ 견적요청_해성190918.exe
Size

467KB
Sample

210412-9mh4lj85lx
MD5

cd70300691bc9f2a261dc6b814ea31a0
SHA1

255a24ace53039f262cc74bcda27541a4c3eeaaf
SHA256

5b578a81fa5276232529484ff00db9fca64a7879ab4a7abc652c9d0d3e1461ba
SHA512

f3c86b554d45f0d0cc67be9ed25025411d47ed513fb0f72978e952c2fcbf20357ee55f1754dc7961afd1e0fc07149dfd38709c0205ad50fccdf7fdf97de981a5

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.mappmake.com/hrqs/

Decoy

xaydungdahoacuonghoanglong.com

bigbladesharpeningservice.com

lafabricadestock.com

anothersanitizerbusiness.com

vidahproperties.com

peoples.mba

lucrumglobaltrading.com

saucywhite.com

larissabarros.com

sybjs.net

crasvaleasingn.com

helpmelabit.com

physiciansimpact.com

graduacionesdemexico.com

banhflanquynhhoa.com

jn163.com

startzassets.com

kutrasoftware.com

karasknots.com

tupetmarketingdigital.com

Targets

- Target
  
  RFQ 견적요청_해성190918.exe
- Size
  
  467KB
- MD5
  
  cd70300691bc9f2a261dc6b814ea31a0
- SHA1
  
  255a24ace53039f262cc74bcda27541a4c3eeaaf
- SHA256
  
  5b578a81fa5276232529484ff00db9fca64a7879ab4a7abc652c9d0d3e1461ba
- SHA512
  
  f3c86b554d45f0d0cc67be9ed25025411d47ed513fb0f72978e952c2fcbf20357ee55f1754dc7961afd1e0fc07149dfd38709c0205ad50fccdf7fdf97de981a5
Score

10^/10

xloader agilenet loader persistence rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader Payload

Executes dropped EXE

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2