xloader | f733a7388657968b77ebcf2996451ff762cbdcc6f064e11b9a3671b47c29d17f | Triage

Submit
Reports

Overview

overview

Static

static

status.xlsx

windows7_x64

status.xlsx

windows10_x64

1

Sharing

General

Target

status.xlsx
Size

1.2MB
Sample

210727-lfcrc8brm6
MD5

29f0bda585a8167f6454692a90bc4680
SHA1

caf70f07d7e1f5fbd3cc80976eb3b72a63a883cf
SHA256

f733a7388657968b77ebcf2996451ff762cbdcc6f064e11b9a3671b47c29d17f
SHA512

936ae0cf1980b360617fd8ab9ab90727dcd1f628fababee16b108836a0cb4182d9d50169f4efb0914ac89d8ecbc9c765695c30221a05905e795658005a1b4f1d

Score

10^/10

xloader loader rat suricata

Static task

static1

Behavioral task

behavioral1

Sample

status.xlsx

Resource

win7v20210410

xloader loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

status.xlsx

Resource

win10v20210410

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.thafresnelgroup.com/p1nr/

Decoy

sooncbd.com

gooddogs.direct

tauding.com

cydip.com

enlistedconnection.com

qa5g.com

makeandmendproductions.com

casethepeer.com

themusicseeds.com

xn--dlicatbikini-beb.com

unlimitedfp.com

homemadebakeries.info

thedealaccessories.com

mpoweru.life

dannalerma.com

toploveconcierge.com

ciaslo02.com

501581.com

mywordsunspoken.com

corrections-coaching-vienne.com

scdtohxvc.icu

aliteksaviationsafety.com

virtualcommerce.network

stgilespantry.com

trianglereviews.com

themontebelloatbiltmore.com

newsongsalways.com

autoglobal-ks.com

zbsun.com

zikao08.com

viruswaarheid.club

apicolaizquierdo.com

expertschain.com

spolm.com

jumboprivady.com

walkonhome.com

abrosnm3.com

caodongmei.com

cultivarholding.com

roq.media

kayanproperties.com

dowcosta4truckee.com

lovelesssaddlery.com

norarahimian.net

sicepatbet.com

utahsafecompany.com

sznaikan.com

lonestarbeverageservices.com

thaenablers.com

junyi81.com

compare-vacation-yg.fyi

omairmaryam.com

aaliyahchhabra.com

yqz8888.net

thobeya.com

tcgsantodomingo.com

valkconstruction.com

puristmoactivepure.com

izzieolsen.com

thewholenew.com

motherlodeliquor.com

urodiran.com

nordiic.com

verogustopromise.com

Targets

- Target
  
  status.xlsx
- Size
  
  1.2MB
- MD5
  
  29f0bda585a8167f6454692a90bc4680
- SHA1
  
  caf70f07d7e1f5fbd3cc80976eb3b72a63a883cf
- SHA256
  
  f733a7388657968b77ebcf2996451ff762cbdcc6f064e11b9a3671b47c29d17f
- SHA512
  
  936ae0cf1980b360617fd8ab9ab90727dcd1f628fababee16b108836a0cb4182d9d50169f4efb0914ac89d8ecbc9c765695c30221a05905e795658005a1b4f1d
Score

10^/10

xloader loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- CustAttr .NET packer
  Detects CustAttr .NET packer in memory.
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderloaderratsuricata

behavioral2

© 2018-2024

Terms | Privacy