xloader | cc9ff3d7e92b4cd7b0a1abea6429d243b185d0f9d52d184ce91a34cb0c7a9ed8 | Triage

Sharing

General

Target

PO_KIND122822_.xlsx
Size

1.3MB
Sample

210824-hcl2pjvgas
MD5

302a2edb81d9e753217958ee2eccb691
SHA1

54fc8ec70f01fd8b5576b24ee98e11c55a50bbe6
SHA256

cc9ff3d7e92b4cd7b0a1abea6429d243b185d0f9d52d184ce91a34cb0c7a9ed8
SHA512

f5cbd28965bfd3909d8b86f78f32be510bee2daac7d35593881694c7eb0276d42e9072e2875f4b66f44c4b9332e30ec513d5b8e677d69d9be8ddf28aca4d8910

Score

10^/10

xloader n8ba loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

n8ba

C2

http://www.narrowpathwc.com/n8ba/

Decoy

thefitflect.com

anytourist.com

blggz.xyz

ascope.club

obyeboss.com

braun-mathematik.online

mtsnurulislamsby.com

jwpropertiestn.com

animalds.com

cunerier.com

sillysocklife.com

shopliyonamaaghin.net

theredcymbalsco.com

lostbikeproject.com

ryggoqlmga.club

realestatetriggers.com

luvlauricephotography.com

cheesehome.cloud

5fashionfix.net

wata-6-rwem.net

Targets

- Target
  
  PO_KIND122822_.xlsx
- Size
  
  1.3MB
- MD5
  
  302a2edb81d9e753217958ee2eccb691
- SHA1
  
  54fc8ec70f01fd8b5576b24ee98e11c55a50bbe6
- SHA256
  
  cc9ff3d7e92b4cd7b0a1abea6429d243b185d0f9d52d184ce91a34cb0c7a9ed8
- SHA512
  
  f5cbd28965bfd3909d8b86f78f32be510bee2daac7d35593881694c7eb0276d42e9072e2875f4b66f44c4b9332e30ec513d5b8e677d69d9be8ddf28aca4d8910
Score

10^/10

xloader n8ba loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Exploitation for Client Execution

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloadern8baloaderratsuricata

behavioral2