xloader | 7f1234fef1cd3abb7a451afc69c458b03fd125e1a553b5af679bc79297986be5 | Triage

Sharing

General

Target

JEP Sports Player Rating.xlsx
Size

366KB
Sample

211021-gzc6ssagen
MD5

4fb3e59606677f24794e9d10668cebeb
SHA1

8f8e1f1c84523cbc96d934c4ba30f910772f4754
SHA256

7f1234fef1cd3abb7a451afc69c458b03fd125e1a553b5af679bc79297986be5
SHA512

2c5cd7e0747caf6f7e93323da826fd515fdcf2b29f7f3aa01c16818d5a238089b84547b7eced1b20dc868d79d442f9c1f7fb675c992a2b6e004bb8fcf2d9662f

Score

10^/10

xloader sb6n loader persistence rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

sb6n

C2

http://www.best5amazon.com/sb6n/

Decoy

bogosamba.com

inmobiliariapuertalavilla.com

nopressurewellness.com

hairshopamity.com

epicmoments360.com

tutorgpa.com

fucibou.xyz

135631.com

portraydashcam.com

raqsarabia.com

okantis.net

vongquaykimcuongfreefire.online

prodom.online

5537sbishop.info

lisakenneyinc.com

fivetime.xyz

borzv.com

joungla.com

mas-urbano.com

sjczyw.com

Targets

- Target
  
  JEP Sports Player Rating.xlsx
- Size
  
  366KB
- MD5
  
  4fb3e59606677f24794e9d10668cebeb
- SHA1
  
  8f8e1f1c84523cbc96d934c4ba30f910772f4754
- SHA256
  
  7f1234fef1cd3abb7a451afc69c458b03fd125e1a553b5af679bc79297986be5
- SHA512
  
  2c5cd7e0747caf6f7e93323da826fd515fdcf2b29f7f3aa01c16818d5a238089b84547b7eced1b20dc868d79d442f9c1f7fb675c992a2b6e004bb8fcf2d9662f
Score

10^/10

xloader sb6n loader persistence rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloadersb6nloaderpersistenceratsuricata

behavioral2