xloader

General

Target

115-209.doc
Size

877KB
Sample

211008-nl61aaebam
MD5

33ba18af523e6abde86bdd1adf3bf452
SHA1

a191108684d44472e1a059d3c9ae34913559874e
SHA256

5f4b71e4968e877ecb5b41ce6f780b915cb2666cafc6e5c61434e8cb07600136
SHA512

291de77dbddd91786c30ac716fe9b0fed43bc89cd1c652b53d17515324cdf5dd88b8c638e01d79153160efd88399dea45498c4b2b225ddb7019d66437dc2f3af

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

noha

C2

http://www.mglracing.com/noha/

Decoy

iphone13promax.support

trailer-racks.xyz

overseaspoolservice.com

r2d2u.com

dawajeju.com

nextgenproxyvote.com

xn--vhqp8mm8dbtz.group

commonsenserisk.com

cmcqgxtyd.com

data2form.com

bois-applique.com

originallollipop.com

lj0008lj.net

spfldvaccineday.info

phalcosnusa.com

llcmastermachine.com

onlyforu14.rest

bestmarketingautomations.com

officialswitchmusic.com

thepretenseofjustice.com

Targets

- Target
  
  115-209.doc
- Size
  
  877KB
- MD5
  
  33ba18af523e6abde86bdd1adf3bf452
- SHA1
  
  a191108684d44472e1a059d3c9ae34913559874e
- SHA256
  
  5f4b71e4968e877ecb5b41ce6f780b915cb2666cafc6e5c61434e8cb07600136
- SHA512
  
  291de77dbddd91786c30ac716fe9b0fed43bc89cd1c652b53d17515324cdf5dd88b8c638e01d79153160efd88399dea45498c4b2b225ddb7019d66437dc2f3af
Score

10^/10

xloader noha loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
  suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Xloader Payload

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2