xloader | 16b2ff1b7878c49d974b08f7a91669a472c4bfacbfbf486209c6cefe2c117302 | Triage

Submit
Reports

Overview

overview

Static

static

SALES CONT...1.xlsx

windows7_x64

SALES CONT...1.xlsx

windows10_x64

1

Sharing

General

Target

SALES CONTRACT 914 VIPA ORDER 213581.xlsx
Size

587KB
Sample

210921-jwjkhsbdfr
MD5

57d15b392c41d1fef88631aa16d1717f
SHA1

19edf447fb1f102d85f22df4bdc13f8b5a3504bc
SHA256

16b2ff1b7878c49d974b08f7a91669a472c4bfacbfbf486209c6cefe2c117302
SHA512

6eba268985edf22d1cd0f6e9f905fc6b1896009fed103b221b100447a6c8d85c8d5316f22a333be61594361bf71c3b411ae30f588e933bb73cc32f745519147d

Score

10^/10

xloader 9gdg loader rat suricata

Static task

static1

Behavioral task

behavioral1

Sample

SALES CONTRACT 914 VIPA ORDER 213581.xlsx

Resource

win7-en-20210920

xloader 9gdg loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

SALES CONTRACT 914 VIPA ORDER 213581.xlsx

Resource

win10-en-20210920

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

9gdg

C2

http://www.dechocolate.online/9gdg/

Decoy

cao-catos.ca

humanityumbrella.com

heatherflintford.com

paddyjulian.com

venturedart.com

pimpyoursmile.com

shellbacklabs.com

acesteeisupply.com

socotrajeweltours.com

aykutozden.com

corncobmeal.com

lesbiansforever.com

picknock.com

pawspetreiki.com

waikikidesignco.com

lelittnpasumo4.xyz

billing-updating.info

barangdapo.com

gatorfirerescue.com

jmovt.com

yozotnpasumo4.xyz

theindiandreams.com

javfish.com

algorham.photography

eurocustompainting.com

commentcard.club

probinns.com

yourlenderjake.net

bestofmdi.guide

miniperfumeria.com

shanxishuangcheng.com

viviantle.com

metaverseliveshopping.com

xn--vckzfv91k.com

garygoodtime.com

meysaninsaat.com

vietnamagritourism.online

greenpillers.net

hughhegartyhedgecutting.com

clarkdn.com

b148t1rfm01qvtbnvgc5418.com

trump-911-memorial.com

seekr.tech

amarettoliqueur.info

planext4u.com

dzairfoot24.com

freshstartdaycarecenterinc.com

redwoodwomen.com

reallyfuntastic.com

cc-expert.com

vaccineexemption.net

goforgreentech.com

800maintenance.services

xn--zimmerei-lking-psb.info

football-latest.mobi

livenetsex.com

christinamossoriginals.com

zebraadz.com

targonia.com

pampashub.com

pallavitatelier.com

aboveallsupplies.com

hyderabadgroceries.com

starpluscommercial.com

Targets

- Target
  
  SALES CONTRACT 914 VIPA ORDER 213581.xlsx
- Size
  
  587KB
- MD5
  
  57d15b392c41d1fef88631aa16d1717f
- SHA1
  
  19edf447fb1f102d85f22df4bdc13f8b5a3504bc
- SHA256
  
  16b2ff1b7878c49d974b08f7a91669a472c4bfacbfbf486209c6cefe2c117302
- SHA512
  
  6eba268985edf22d1cd0f6e9f905fc6b1896009fed103b221b100447a6c8d85c8d5316f22a333be61594361bf71c3b411ae30f588e933bb73cc32f745519147d
Score

10^/10

xloader 9gdg loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
  suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloader9gdgloaderratsuricata

behavioral2

© 2018-2024

Terms | Privacy