xloader

General

Target

b38d95879bc287171a491de879e84e0b
Size

847KB
Sample

211020-y81f5aadhl
MD5

b38d95879bc287171a491de879e84e0b
SHA1

f9bb64fd8d71bc1b689d382e136a00387ad7d9cf
SHA256

c66278e7c7a5ccb279d55d3dc1b3ef42188e47f276f09d5a8f686a5ba2ab3dd7
SHA512

53968a3ac35efcf8e6f0b55c20175cf5fd726b8bbdd2c567d05bbb52f9702d3c50abd99cac5cc3d2d3a40a09f6a6de35228ea1763f249577954e369a877fd18b

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

o4um

C2

http://www.dependablelawnsnow.com/o4um/

Decoy

kagami-belt.com

k7e.xyz

slowcontentmarketing.com

nativeamericannurse.com

stadtquartier.xyz

vietlinkmart.com

numisme.xyz

lypp-sh.com

walkerwaughray.com

homerightsolutions.com

vpdd.top

857741.com

informednewsreader.com

misachoavien.com

aslanrefinedhomes.com

bjhaitaoshop.com

lb-fo.com

shadedfaetattoos.com

tallulahapp.com

amhonlinemarketing.com

Targets

- Target
  
  b38d95879bc287171a491de879e84e0b
- Size
  
  847KB
- MD5
  
  b38d95879bc287171a491de879e84e0b
- SHA1
  
  f9bb64fd8d71bc1b689d382e136a00387ad7d9cf
- SHA256
  
  c66278e7c7a5ccb279d55d3dc1b3ef42188e47f276f09d5a8f686a5ba2ab3dd7
- SHA512
  
  53968a3ac35efcf8e6f0b55c20175cf5fd726b8bbdd2c567d05bbb52f9702d3c50abd99cac5cc3d2d3a40a09f6a6de35228ea1763f249577954e369a877fd18b
Score

10^/10

xloader o4um loader persistence rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2