xloader | 95a278aa609c78dd38f16e531e878d0c30ed0e9dac153eaf1428c5dfb4209cc1 | Triage

Submit
Reports

Overview

overview

Static

static

1

RFQ65387,pdf.exe

windows7_x64

RFQ65387,pdf.exe

windows10_x64

Sharing

General

Target

RFQ65387,pdf.iso
Size

422KB
Sample

210927-bav3esfdcl
MD5

96702f468ffacbfe0149b23ad46deb44
SHA1

177c2f7adceba614024dbae53618db18cef943a0
SHA256

95a278aa609c78dd38f16e531e878d0c30ed0e9dac153eaf1428c5dfb4209cc1
SHA512

bd0fee92ceacd990739a8105c0eac9584f874b0b15179858cb5a152efd0cd1d722db8cf83a4eee1b989da2ccd55804af70878ecd8d6df8b0e19b91b33b9fd2e0

Score

10^/10

xloader eqza loader persistence rat spyware stealer suricata

Static task

static1

Behavioral task

behavioral1

Sample

RFQ65387,pdf.exe

Resource

win7-en-20210920

xloader eqza loader persistence rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

RFQ65387,pdf.exe

Resource

win10v20210408

xloader eqza loader persistence rat spyware stealer suricata

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

eqza

C2

http://www.262266.store/eqza/

Decoy

portcities.website

intuiters.com

jpworld1.com

5riversmgnt.com

sub-cold.xyz

atrven.club

joysfamilypressurewashing.com

thrivingafter30nation.com

yaoguankeji.online

homesbythomasadams.com

signalist.xyz

rastipponmkh.com

5o8realty.com

gantongxunlian.ltd

ticvideo.com

renemutt.com

eden-order.com

trevaleaf.com

vatikanlottery.com

zzswfp.com

mebel-pf.store

gabtechglobalacademy.com

sofitel-foshan.com

localvirgingirl.xyz

cashforhuntsvillehomes.com

ledytj.com

floetic.design

eveninggatherings.com

amilawda.com

staybyvalediaz.com

institutfrancais-ifac.com

suddennnnnnnnnnnn20.xyz

perfectempbiz.com

nichesblogs.com

seminoleworm.com

dusa.codes

meetings-expo.com

fuwanming10.com

jessicanutrition.com

speedprosmotorsports.com

diearchitekt.net

httpxhydh233.xyz

petit-clasquin.com

getsimplehabit.com

loveintegritytrust.com

righttriviaemail.com

a2detail.com

xn--oprationmyopie-aix-cwb.com

chalet-in-the-alps.com

neracobel.com

bakc.xyz

v8dmjy4ct.com

freedomtourbus.com

nefesh.pro

blandtigersyouthbasketball.com

objectsapi.com

sxlaochencu.com

efootballpro2022.net

privateproxyguides.com

itgrlglo.com

placerauctions.com

barbaraksmith.store

themintedhotels.com

wwwripostes.net

Targets

- Target
  
  RFQ65387,pdf.exe
- Size
  
  360KB
- MD5
  
  9c4328f837278a309e1542f10141b175
- SHA1
  
  042c426526fdf26bcbe7cb1a404f41e9db6d95c3
- SHA256
  
  f2510c206c2e43f92163e4f10d43fefa38522cdf17ba22b228e2178523dbf2d4
- SHA512
  
  ad581fae46d1a517404e58f1234f684fdac4422a0264f140d8723c95c7fe4c36d5943799edda2d6d2e73b2b702077ef6f8b7910204d52d2d65e34ef90f7ad223
Score

10^/10

xloader eqza loader persistence rat suricata spyware stealer
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloadereqzaloaderpersistenceratsuricata

behavioral2

xloadereqzaloaderpersistenceratspywarestealersuricata

© 2018-2024

Terms | Privacy