xloader | 1707f694fc15ee93a6f06725c6a4cfe1283f6553a442a957f7b5fc646f003466 | Triage

Submit
Reports

Overview

overview

Static

static

Orsha_NSC ...t.xlsx

windows7_x64

Orsha_NSC ...t.xlsx

windows10_x64

1

Sharing

General

Target

Orsha_NSC Contract 290720 Order for new shipment.xlsx
Size

556KB
Sample

210917-x3z3qsgdc5
MD5

72d057ebfb1aa881ffee0cae72724866
SHA1

a35397bed6c5368e2b9196557af225222163faf2
SHA256

1707f694fc15ee93a6f06725c6a4cfe1283f6553a442a957f7b5fc646f003466
SHA512

6b867c53a4ee8e1f844f170c17d98071cb11e75ef0b9ea735cc2eb8bc37d9f61223f37736ecc59010f414c91f0097da0411df6eec354d4b619d379c47295ed62

Score

10^/10

xloader b6a4 loader rat

Static task

static1

Behavioral task

behavioral1

Sample

Orsha_NSC Contract 290720 Order for new shipment.xlsx

Resource

win7-en-20210916

xloader b6a4 loader rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Orsha_NSC Contract 290720 Order for new shipment.xlsx

Resource

win10-en

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

b6a4

C2

http://www.helpmovingandstorage.com/b6a4/

Decoy

gr2future.com

asteroid.finance

skoba-plast.com

rnerfrfw5z3ki.net

thesmartroadtoretirement.com

avisdrummondhomes.com

banban365.net

profesyonelkampcadiri.net

royalloanhs.com

yulujy.com

xn--naqejahan-n3b.com

msalee.net

dollyvee.com

albertagamehawkersclub.com

cbspecialists.com

findingforeverrealty.com

mrtireshop.com

wadamasanari.com

growtechinfo.com

qipai039.com

kdpwelness.com

heonyearthoo.com

comprarmiaspiradora.com

e38.site

aryadesigningstudio.com

wildwestkelly.com

mengzhanxy.com

kedaiherbalalami.com

mygaybookcase.com

meetheveganz.com

42shenmao.com

siimezhebi.com

id-ers.com

cabalzi.com

hellahealthy.life

mastermind-kc.com

erinkiauq.icu

shinebrightjournal.com

adventuresofdatinginnyc.com

kestuf.net

khadarelhodge.com

maximumsale.com

rishitaprabhu.com

dinhvitraitim.com

dalvascleaningservice.com

norfolkveggiebox.com

findsmartvestorpro.com

shuangyashanpower.com

shukujitsu.net

naughty0milf.today

jdjseshop.com

breathlessandinlove.com

abrosnm3.com

candoyuran.com

recargasasec.com

puffycannabis.com

shopnewmills.com

blue-sky-music.com

besthypee.com

idahocommunitynewsnetwork.com

darenscape.com

gamificationbiz.com

avosmains.net

starlangue.com

Targets

- Target
  
  Orsha_NSC Contract 290720 Order for new shipment.xlsx
- Size
  
  556KB
- MD5
  
  72d057ebfb1aa881ffee0cae72724866
- SHA1
  
  a35397bed6c5368e2b9196557af225222163faf2
- SHA256
  
  1707f694fc15ee93a6f06725c6a4cfe1283f6553a442a957f7b5fc646f003466
- SHA512
  
  6b867c53a4ee8e1f844f170c17d98071cb11e75ef0b9ea735cc2eb8bc37d9f61223f37736ecc59010f414c91f0097da0411df6eec354d4b619d379c47295ed62
Score

10^/10

xloader b6a4 loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderb6a4loaderrat

behavioral2

© 2018-2024

Terms | Privacy