Overview

overview

10

Static

static

10

xloader

macos_amd64

10

Resubmissions

02-09-2021 14:41

210902-r2t77sadd5 10

26-08-2021 20:08

210826-x63p7evsw6 10

26-08-2021 17:01

210826-hhfzsjhlaj 10

Analysis

  • max time network
    152s
  • platform
    macos_amd64
  • resource
    macos
  • submitted
    26-08-2021 17:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xloader

  • Size

    124KB

  • MD5

    997af06dda7a3c6d1be2f8cac866c78c

  • SHA1

    fb83d869f476e390277aab16b05aa7f3adc0e841

  • SHA256

    46adfe4740a126455c1a022e835de74f7e3cf59246ca66aa4e878bf52e11645d

  • SHA512

    5df92bfc5ab9392b3f7d66f84f625a0de4fd19a2fa3df61fc5bad0e57cc657e4f86d1d5dac9cc57b98a80815a446edd426cf7a5ea5834e4f7ff338f51781f9bf

Score
10/10
xloaderloaderratsuricata

Malware Config

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 1 IoCs
    rat

Processes

  • /bin/sh
    sh -c "sudo /Users/run/xloader"
    1⤵
      PID:465
    • /bin/bash
      sh -c "sudo /Users/run/xloader"
      1⤵
        PID:465
      • /usr/bin/sudo
        sudo /Users/run/xloader
        1⤵
          PID:465
          • /Users/run/xloader
            /Users/run/xloader
            2⤵
              PID:467
          • /bin/sh
            sh -c /var/root/.ATi8D2BH564L/elWP.app/Contents/MacOS/elWP
            1⤵
              PID:468
            • /bin/bash
              sh -c /var/root/.ATi8D2BH564L/elWP.app/Contents/MacOS/elWP
              1⤵
                PID:468
              • /var/root/.ATi8D2BH564L/elWP.app/Contents/MacOS/elWP
                /var/root/.ATi8D2BH564L/elWP.app/Contents/MacOS/elWP
                1⤵
                  PID:468

                Network

                MITRE ATT&CK Matrix

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /private/var/root/.ATi8D2BH564L/elWP.app/Contents/Info.plist
                  MD5

                  58f137fffefab27b124c17fa1dd4bbd0

                  SHA1

                  2d73d6f72072cdca74ec8d65b61484237013dcae

                  SHA256

                  ede3724620e02ff9a7fd2989fb877f8bfa2178f24ff27ebcdebf65d24a6ec232

                  SHA512

                  e21f8b3db4499cef816dc85954137e83d173c5648daa1575fc0f9fd9acf1887f212008093947bea6339e2e38126a82bfc3bd3a0d484f8b3e433a80014f2ed82a

                  Download Submit

                • /private/var/root/.ATi8D2BH564L/elWP.app/Contents/MacOS/elWP
                  MD5

                  997af06dda7a3c6d1be2f8cac866c78c

                  SHA1

                  fb83d869f476e390277aab16b05aa7f3adc0e841

                  SHA256

                  46adfe4740a126455c1a022e835de74f7e3cf59246ca66aa4e878bf52e11645d

                  SHA512

                  5df92bfc5ab9392b3f7d66f84f625a0de4fd19a2fa3df61fc5bad0e57cc657e4f86d1d5dac9cc57b98a80815a446edd426cf7a5ea5834e4f7ff338f51781f9bf

                  Download Submit