xloader | 917256cc05e973907b1b96166374b2a31b2cba9c328c1a79a8bc1e50f2979bcd | Triage

Submit
Reports

Overview

overview

Static

static

001_Shippi...1.xlsx

windows7_x64

001_Shippi...1.xlsx

windows10_x64

1

Sharing

General

Target

001_Shipping_Documents_information_092121.xlsx
Size

588KB
Sample

210921-jwjkhsbdgj
MD5

21ebbd592e50341c7dfdde85bd801fbc
SHA1

b4421c31784ecfc4b523f77fa0ff804fd8920dcd
SHA256

917256cc05e973907b1b96166374b2a31b2cba9c328c1a79a8bc1e50f2979bcd
SHA512

5abaa9d5049c9852724132b488ea8ba38f8333c30bb7ad7ecf4cc9bd4d6ab48a47b322c1d24ee197a9408d2a98e0bf458d3886a23214cb0fde156ffb63c9be2a

Score

10^/10

xloader m0np loader rat suricata

Static task

static1

Behavioral task

behavioral1

Sample

001_Shipping_Documents_information_092121.xlsx

Resource

win7v20210408

xloader m0np loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

001_Shipping_Documents_information_092121.xlsx

Resource

win10-en-20210920

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m0np

C2

http://www.devmedicalcentre.com/m0np/

Decoy

gruppovimar.com

seniordatingtv.com

pinpinyouqian.website

retreatreflectreplenish.com

baby-handmade.store

econsupplies.com

helloaustinpodcast.com

europe-lodging.com

ferahanaokulu.com

thehomeinspo.com

rawhoneytnpasumo6.xyz

tyckasei.quest

scissorsandbuffer.com

jatinvestmentsmaldives.com

softandcute.store

afuturemakerspromotions.online

leonsigntech.com

havetheshortscovered.com

cvkf.email

iplyyu.com

motphimz.net

slimmerpage.com

fifthbelle.com

moneybagsinfinity.com

architettoaroma.com

rio-script.com

millieandmaude.net

pvinayak.com

nyctattoing.com

fermanfood.com

medardlake.com

40acgidd.com

mrbrianalba.com

110bao.com

shguitong.com

why5mkt.com

diptv.xyz

gotbn-a01.com

rene-weise.com

meltaluminum.com

tobiasqbrown.com

eiqor.com

bnabd.com

painubloc.com

bofoz.com

maxicashprogtq.xyz

probinns.com

yourroddays1.xyz

friedmantrusts.com

patrianilancamentos.com

cetpa.solutions

fengxiaowangluo.com

zkimax.com

bibberyhills.com

colegiodeltaaps.com

fraternitybrand.com

codemais.net

ohayouwww.com

keenflat.com

devvabaek.com

rouxbylarease.online

hongyuyinji.com

cybersecurity-andorra.online

zs4.info

Targets

- Target
  
  001_Shipping_Documents_information_092121.xlsx
- Size
  
  588KB
- MD5
  
  21ebbd592e50341c7dfdde85bd801fbc
- SHA1
  
  b4421c31784ecfc4b523f77fa0ff804fd8920dcd
- SHA256
  
  917256cc05e973907b1b96166374b2a31b2cba9c328c1a79a8bc1e50f2979bcd
- SHA512
  
  5abaa9d5049c9852724132b488ea8ba38f8333c30bb7ad7ecf4cc9bd4d6ab48a47b322c1d24ee197a9408d2a98e0bf458d3886a23214cb0fde156ffb63c9be2a
Score

10^/10

xloader m0np loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
  suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderm0nploaderratsuricata

behavioral2

© 2018-2024

Terms | Privacy