xloader | 0b9c4c0a71c0262d0af9cabc0b3cdc179ed4114e0ede23afce8342f48714adbb | Triage

Submit
Reports

Overview

overview

Static

static

BM09 INV.PL.xlsx

windows7_x64

BM09 INV.PL.xlsx

windows10_x64

1

Sharing

General

Target

BM09 INV.PL.xlsx
Size

369KB
Sample

211021-gzc6ssageq
MD5

b03819cd2356392079a49fa5f0477ff9
SHA1

c6d295042dbad6daa7eccedddd354f9e90643b31
SHA256

0b9c4c0a71c0262d0af9cabc0b3cdc179ed4114e0ede23afce8342f48714adbb
SHA512

15ccab47909ffbe46f7cc995d36d93191cf1e541cf6653ad771dd869b71a9eb3d321dc5c0569064dc2feceb40e495ea19aba1c71c055b62a4fcb7dc3f99ccf5e

Score

10^/10

xloader ons6 loader rat suricata

Static task

static1

Behavioral task

behavioral1

Sample

BM09 INV.PL.xlsx

Resource

win7-en-20211014

xloader ons6 loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

BM09 INV.PL.xlsx

Resource

win10-en-20210920

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ons6

C2

http://www.parasitevhs.net/ons6/

Decoy

946acc.net

ilkermulla.com

edificationhub.com

aptbaby.com

luisrgonzalez.com

postandpine.com

objective-object.com

storeydrive.rentals

mobile-find.com

africanbridaluk.com

zzjn12.xyz

ritechoiceinvestmentgroup.com

zitzies.xyz

trulyproofreading.com

ktndetermine.xyz

advertising.land

keywordgomuwk.xyz

niecliomusicspirit.com

lhortelecom.com

cryptochieftan.com

fumctulsa.com

librariumclub.com

tinturas-espagiricas.com

regencyimperial.com

worldremirt.com

nikurei.com

edukado.online

med2cloud.com

sasktwl.net

ancditalia.com

nagukoohatomo.xyz

febfit.com

brasbux.com

bilinili236.xyz

girlxyz.com

trm.computer

studiomuis.com

pinnap.online

ra-hanbaiten-lulusia.xyz

desso.one

devilsheartdesign.com

gestproducts.com

mount-motion.com

miltonjorge.net

xiaomiyp6.com

rurikon2.com

wwwmwrfinancial.com

mikexktolsd.com

businessim.net

algoescrow.com

bitterbaybay.com

acidulante.com

yourchancemarketing.com

accidental-blogger.com

breastcancerforumbd.com

viellacharteredland.com

wkefaromaticum.com

guardianenergy.group

gamblersprintcars.com

midiff.com

firstbymel.com

fdwqw.xyz

ngatihaukoporeihana.com

pictureballthose.top

Targets

- Target
  
  BM09 INV.PL.xlsx
- Size
  
  369KB
- MD5
  
  b03819cd2356392079a49fa5f0477ff9
- SHA1
  
  c6d295042dbad6daa7eccedddd354f9e90643b31
- SHA256
  
  0b9c4c0a71c0262d0af9cabc0b3cdc179ed4114e0ede23afce8342f48714adbb
- SHA512
  
  15ccab47909ffbe46f7cc995d36d93191cf1e541cf6653ad771dd869b71a9eb3d321dc5c0569064dc2feceb40e495ea19aba1c71c055b62a4fcb7dc3f99ccf5e
Score

10^/10

xloader ons6 loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
  suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderons6loaderratsuricata

behavioral2

© 2018-2024

Terms | Privacy