xloader

General

Target

triage_dropped_file
Size

941KB
Sample

211025-m44r7sghep
MD5

538af9b3eb449aaf53eeaf6ecf3c4037
SHA1

edc27955b5d2388c7a2b792721941d2c270eac5a
SHA256

de43df6bd459b56aec0cd86e0873cc0c5b556e08547e2b9ea79082c44d9b7220
SHA512

a5eb2c410f8669bfb744158d459fe69221649d444394958774f2d91b7082c6537f798114ca51b395d7fe35db634cf41b86d6b7bb589ee17e0acd688bfea17ba3

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

fpdi

C2

http://www.walletwriter.space/fpdi/

Decoy

jencio.com

b9jty7.com

banahinvestments.com

capitolfurniture.net

jlvip1086.com

pompeyocargo.com

designbyshubhi.info

elbauldepecas.com

bracelexx.online

advanceporbrx.xyz

ruihongco.com

wipemirecord.com

goodfoodsme.com

sommpick.com

rangilugujarat.com

realestate5g.com

spunkdlashes.com

palisadestahoehousing.com

brandingsocal.com

privatejetsboston.com

Targets

- Target
  
  triage_dropped_file
- Size
  
  941KB
- MD5
  
  538af9b3eb449aaf53eeaf6ecf3c4037
- SHA1
  
  edc27955b5d2388c7a2b792721941d2c270eac5a
- SHA256
  
  de43df6bd459b56aec0cd86e0873cc0c5b556e08547e2b9ea79082c44d9b7220
- SHA512
  
  a5eb2c410f8669bfb744158d459fe69221649d444394958774f2d91b7082c6537f798114ca51b395d7fe35db634cf41b86d6b7bb589ee17e0acd688bfea17ba3
Score

10^/10

xloader fpdi loader rat suricata persistence spyware stealer
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Adds policy Run key to start application

Executes dropped EXE

Deletes itself

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2