xloader | 16767c9a749db0d3cad5f9778a1a11997899af377b2935251edce7237ab1512c | Triage

Submit
Reports

Overview

overview

Static

static

NEW ORDER ...T.xlsx

windows7_x64

NEW ORDER ...T.xlsx

windows10_x64

1

Sharing

General

Target

NEW ORDER AST 28-29 OCT.xlsx
Size

369KB
Sample

211021-gzdgkaager
MD5

90945f68e40c52dad2d8631ca83783cc
SHA1

41fe1605b8c882cf4bd72af59daeca282a21dc5f
SHA256

16767c9a749db0d3cad5f9778a1a11997899af377b2935251edce7237ab1512c
SHA512

d6e609dd8289a1ab4a5d256ca9e040c630985afebf4be8ebd5792a36defc00cf644a64ec97c31ed2b9637ef36f5f86c718d27bc2b857a129ceb8b9def7825a90

Score

10^/10

xloader ahdu agilenet loader rat suricata

Static task

static1

Behavioral task

behavioral1

Sample

NEW ORDER AST 28-29 OCT.xlsx

Resource

win7-en-20211014

xloader ahdu agilenet loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

NEW ORDER AST 28-29 OCT.xlsx

Resource

win10-en-20210920

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ahdu

C2

http://www.casinoregio.com/ahdu/

Decoy

premiumfreebie.com

spintheblackestcircles.com

okaidoku-shop.net

zonaseguradregistropremios.com

wzocflfow.com

maanyah.com

warrioredjuan.com

uniquelypizza.com

wondertreehr.com

ddriiverzautozs.com

mattenterline.com

urenium.com

salonjedibreakthrough.com

imgkurd.com

pierrejacqueslyon.com

quimicasurandina.com

jkpfukgmt.icu

ansariclinic.com

ashleysema.design

arkadiafoliage.com

fhstzy.com

beautyandherocean.com

hgw234.com

whiteclawdogseltzer.com

montecitobeaches.com

weixinseo.xyz

javpanel.com

mayonnaiseplant.com

shooternetsports.com

withagecny.com

northernloss.com

theshedscharityshop.com

mi-darulaman.com

sezginotel.com

dreamcricketpro.com

mail-globo-com-webmails.com

seucorpofit.com

konversiondigital.com

nirvavacenter.com

communicateforfreedom.com

maxwellgroupphyscians.com

ltcy4.com

find-my-kids.com

gromov-plc.com

premiercovidscreening.com

telemedde.com

ifapt.com

getopalace.com

ralsendo.com

weinsurebars.com

bainrix.com

precisionprobusiness.com

therussellpinto.com

resepindonesia.space

obluedotpanobuy.com

vrev.net

source824.xyz

betsunmacougold.com

mabtas.com

mazcommunity.com

blockchainwallet.solutions

valentineennett.xyz

dolcevazquez.com

institutobalcarceolavarria.com

Targets

- Target
  
  NEW ORDER AST 28-29 OCT.xlsx
- Size
  
  369KB
- MD5
  
  90945f68e40c52dad2d8631ca83783cc
- SHA1
  
  41fe1605b8c882cf4bd72af59daeca282a21dc5f
- SHA256
  
  16767c9a749db0d3cad5f9778a1a11997899af377b2935251edce7237ab1512c
- SHA512
  
  d6e609dd8289a1ab4a5d256ca9e040c630985afebf4be8ebd5792a36defc00cf644a64ec97c31ed2b9637ef36f5f86c718d27bc2b857a129ceb8b9def7825a90
Score

10^/10

xloader ahdu agilenet loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderahduagilenetloaderratsuricata

behavioral2

© 2018-2024

Terms | Privacy