xloader

General

Target

Profoma Invoice.doc.zip
Size

450KB
Sample

210922-em9ccsdgdn
MD5

bf298b03f15074ccc248a0ad33fc4c27
SHA1

86f7332862faa87f1cc4c532980b2683ca958553
SHA256

67dc8a7809969daae173568204d468ae93d0985a8fc2b0caafebc30be43cc110
SHA512

7143208110219c3670079a61ee70f9e2b7e98d5e0a37d4c7f640b7ef30b61434edfa3625b1c7d2cac402c7ecc93fbf8462467d8ff436d6fc6bd9768c3ce63b8a

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

c2ue

C2

http://www.heidevelop.xyz/c2ue/

Decoy

isportdata.com

stellarex.energy

hsucollections.com

menuhaisan.com

joe-tzu.com

lumichargemktg.com

uae.tires

rapidcae.com

softwaresystemsolutions.com

s-galaxy.website

daewon-talks.net

northgamesnetwork.com

catalogue-bouyguestele.com

criativanet.com

theseasonalshift.com

actionfoto.online

openmaildoe.com

trashpenguin.com

ennopure.net

azurermine.com

Targets

- Target
  
  Profoma Invoice.doc.exe
- Size
  
  992KB
- MD5
  
  4f25ed58038558b2e83f18896b245791
- SHA1
  
  80be9861fa9f10581fc77e0c4a1405dd5042365d
- SHA256
  
  03b8b680955c5827b5f80ace4afb923c2a5714cbe1b9ca579ab6f197b8826bc6
- SHA512
  
  8e586af0f9214b59075811bb15779ef7460e436c18c1995c70d3aafb3c6cb4d5def9671ae829df49d294588845f34e997b9b293366f289b3c7f782b55aa6dd63
Score

10^/10

xloader c2ue loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Blocklisted process makes network request

Deletes itself

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2