xloader | c996c6e47abe7b54c652692c1aa2bd7b1c63b4927a8da78ca2d1de3ca7232198 | Triage

Submit
Reports

Overview

overview

Static

static

DHL_Sender...0.xlsx

windows7_x64

DHL_Sender...0.xlsx

windows10_x64

1

Sharing

General

Target

DHL_Sender_Documents_Details_021230900.xlsx
Size

355KB
Sample

210923-gzcv2ahfbm
MD5

e5c6389fe4c43e736bbe304ac2aa9912
SHA1

5d4bb21ef27c9b712c33a367c461ea78defb2849
SHA256

c996c6e47abe7b54c652692c1aa2bd7b1c63b4927a8da78ca2d1de3ca7232198
SHA512

2138ffc7b261c3c81467d8ca7fb9638f82896e74fb5147588a50edf5fc619a26994992bc6de1e455157bf65e2f14bf8fdcc771a8188f1a6a45c7b957bffe0287

Score

10^/10

xloader m0np loader rat suricata

Static task

static1

Behavioral task

behavioral1

Sample

DHL_Sender_Documents_Details_021230900.xlsx

Resource

win7v20210408

xloader m0np loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

DHL_Sender_Documents_Details_021230900.xlsx

Resource

win10v20210408

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m0np

C2

http://www.devmedicalcentre.com/m0np/

Decoy

gruppovimar.com

seniordatingtv.com

pinpinyouqian.website

retreatreflectreplenish.com

baby-handmade.store

econsupplies.com

helloaustinpodcast.com

europe-lodging.com

ferahanaokulu.com

thehomeinspo.com

rawhoneytnpasumo6.xyz

tyckasei.quest

scissorsandbuffer.com

jatinvestmentsmaldives.com

softandcute.store

afuturemakerspromotions.online

leonsigntech.com

havetheshortscovered.com

cvkf.email

iplyyu.com

motphimz.net

slimmerpage.com

fifthbelle.com

moneybagsinfinity.com

architettoaroma.com

rio-script.com

millieandmaude.net

pvinayak.com

nyctattoing.com

fermanfood.com

medardlake.com

40acgidd.com

mrbrianalba.com

110bao.com

shguitong.com

why5mkt.com

diptv.xyz

gotbn-a01.com

rene-weise.com

meltaluminum.com

tobiasqbrown.com

eiqor.com

bnabd.com

painubloc.com

bofoz.com

maxicashprogtq.xyz

probinns.com

yourroddays1.xyz

friedmantrusts.com

patrianilancamentos.com

cetpa.solutions

fengxiaowangluo.com

zkimax.com

bibberyhills.com

colegiodeltaaps.com

fraternitybrand.com

codemais.net

ohayouwww.com

keenflat.com

devvabaek.com

rouxbylarease.online

hongyuyinji.com

cybersecurity-andorra.online

zs4.info

Targets

- Target
  
  DHL_Sender_Documents_Details_021230900.xlsx
- Size
  
  355KB
- MD5
  
  e5c6389fe4c43e736bbe304ac2aa9912
- SHA1
  
  5d4bb21ef27c9b712c33a367c461ea78defb2849
- SHA256
  
  c996c6e47abe7b54c652692c1aa2bd7b1c63b4927a8da78ca2d1de3ca7232198
- SHA512
  
  2138ffc7b261c3c81467d8ca7fb9638f82896e74fb5147588a50edf5fc619a26994992bc6de1e455157bf65e2f14bf8fdcc771a8188f1a6a45c7b957bffe0287
Score

10^/10

xloader m0np loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
  suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Command-Line Interface

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderm0nploaderratsuricata

behavioral2

© 2018-2024

Terms | Privacy