xloader | 88c07a30074065b292335ae5d4a45f905fa8a6739d3031d2f8236d2d9a27c681 | Triage

Submit
Reports

Overview

overview

Static

static

Swift.xlsx

windows7_x64

Swift.xlsx

windows10_x64

1

Sharing

General

Target

Swift.xlsx
Size

333KB
Sample

211013-rkkmfaebar
MD5

9a43d5d2ffc56e823280ca84f6bb870f
SHA1

f0945075b44bc2cb2c96b168d47a269eb0d714ce
SHA256

88c07a30074065b292335ae5d4a45f905fa8a6739d3031d2f8236d2d9a27c681
SHA512

b46f3e608f57ae5156336355f0c7bf90ab655f3db16a0318ee0ac6b16e01ee8b5ed4eab78e3662093f9b3d2cae0bbdc9811367b3bb1ccf39098abe731ff2dd67

Score

10^/10

xloader ht08 loader persistence rat suricata

Static task

static1

Behavioral task

behavioral1

Sample

Swift.xlsx

Resource

win7-en-20210920

xloader ht08 loader persistence rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Swift.xlsx

Resource

win10v20210408

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ht08

C2

http://www.septemberstockevent200.com/ht08/

Decoy

joye.club

istanbulemlakgalerisi.online

annikadaniel.love

oooci.com

curebase-test.com

swisstradecenter.com

hacticum.com

centercodebase.com

recbi56ni.com

mmj0115.xyz

sharpstead.com

sprklbeauty.com

progettogenesi.cloud

dolinum.com

amaroqadvisors.com

traininig.com

leewaysvcs.com

nashhomesearch.com

joy1263.com

serkanyamac.com

nursingprogramsforme.com

huakf.com

1w3.online

watermountsteam.top

tyralruutan.quest

mattlambert.xyz

xn--fiqs8sypgfujbl4a.xn--czru2d

hfgoal.com

587868.net

noyoucantridemyonewheel.com

riewesell.top

expn.asia

suplementarsas.com

item154655544.com

cdgdentists.com

deboraverdian.com

franquiciasexclusivas.tienda

tminus-10.com

psychoterapeuta-wroclaw.com

coachingbywatson.com

lknitti.net

belenpison.agency

facilitetec.com

99077000.com

thefitmog.com

kinmanpowerwashing.com

escueladelbuenamor.com

getjoyce.net

oilelm.com

maikoufarm.com

hespresso.net

timothyschmallrealt.com

knoxvilleraingutters.com

roonkingagency.online

trashwasher.com

angyfoods.com

yungbredda.com

digipoint-entertainment.com

shangduli.space

kalaraskincare.com

ktnsound.xyz

miabellavita.com

thenlpmentor.com

marzhukov.com

Targets

- Target
  
  Swift.xlsx
- Size
  
  333KB
- MD5
  
  9a43d5d2ffc56e823280ca84f6bb870f
- SHA1
  
  f0945075b44bc2cb2c96b168d47a269eb0d714ce
- SHA256
  
  88c07a30074065b292335ae5d4a45f905fa8a6739d3031d2f8236d2d9a27c681
- SHA512
  
  b46f3e608f57ae5156336355f0c7bf90ab655f3db16a0318ee0ac6b16e01ee8b5ed4eab78e3662093f9b3d2cae0bbdc9811367b3bb1ccf39098abe731ff2dd67
Score

10^/10

xloader ht08 loader persistence rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderht08loaderpersistenceratsuricata

behavioral2

© 2018-2024

Terms | Privacy