xloader | ab80b9b17c044eeed0605980caeaf6617c48f04d4f11a5f19d9a65256a940e95 | Triage

Submit
Reports

Overview

overview

Static

static

40HQ_of_CI...3.docx

windows7_x64

40HQ_of_CI...3.docx

windows10_x64

1

Sharing

General

Target

40HQ_of_CI_PL_SC_HR210503.docx
Size

10KB
Sample

210503-zl4vg68bra
MD5

78e85cb8cd9169dfe6fe6ddcf4090a97
SHA1

6ca04ffc772794b12f4b6c724387823c185cce6e
SHA256

ab80b9b17c044eeed0605980caeaf6617c48f04d4f11a5f19d9a65256a940e95
SHA512

d330a14930f4fe9e74a0973e261bd060844b62211fa00f316c4d8233907a7cd845b6782a2cb646c5eb33246cad65d9f41dc42c57d57401f5ec0425e686e3256d

Score

10^/10

xloader loader rat websettings

Static task

static1

Behavioral task

behavioral1

Sample

40HQ_of_CI_PL_SC_HR210503.docx

Resource

win7v20210410

xloader loader rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

40HQ_of_CI_PL_SC_HR210503.docx

Resource

win10v20210408

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

http://107.173.219.80/prf/regasm.dot

Extracted

Family

xloader

Version

2.3

C2

http://www.stonescapes1.com/de92/

Decoy

zindaginews.com

tyelevator.com

schustermaninterests.com

algemixdelchef.com

doubscollectivites.com

e-butchery.com

hellbentmask.com

jumbpprivacy.com

teeniestiedye.com

playfulartwork.com

desertvacahs.com

w5470-hed.net

nepalearningpods.com

smoothandsleek.com

thecannaglow.com

torrentkittyla.com

industrytoyou.com

raquelvargas.net

rlc-nc.net

cryptoprises.com

chinjungmom.com

blondedevil.com

associationindependence.com

tokachiashi50.xyz

cantstoptennis.com

english3s.com

flowtechblasting.com

customputtputtgolf.com

onointeriors.com

lenafive.com

jygraphics.com

plantologia.com

withatwist2016.com

bingent.info

nakedsumac.com

rosetheamazingrealtor.com

gogoivyschool.com

silhouettebodyspa.com

fomssdf4.com

goodcontractor.net

republicpc.com

zante2020.com

t-junko.com

kittens.finance

mkchemicalvina.com

quadacross.com

maemaetravelworld.com

bradforrexchange.com

fashiongomaufacturer.com

hollapac.com

qxmenye.com

neuro-robotics.com

365shared.com

dinamisapp.com

b3service.com

getyourquan.com

udothat.com

cutting21778.com

vdacouture.com

venerossala.com

thefunboxshoppe.com

indomedianewsc.com

nagansatu.com

precisionoxes.com

Targets

- Target
  
  40HQ_of_CI_PL_SC_HR210503.docx
- Size
  
  10KB
- MD5
  
  78e85cb8cd9169dfe6fe6ddcf4090a97
- SHA1
  
  6ca04ffc772794b12f4b6c724387823c185cce6e
- SHA256
  
  ab80b9b17c044eeed0605980caeaf6617c48f04d4f11a5f19d9a65256a940e95
- SHA512
  
  d330a14930f4fe9e74a0973e261bd060844b62211fa00f316c4d8233907a7cd845b6782a2cb646c5eb33246cad65d9f41dc42c57d57401f5ec0425e686e3256d
Score

10^/10

xloader loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Abuses OpenXML format to download file from external location
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderloaderrat

behavioral2

© 2018-2024

Terms | Privacy