xloader | c6fd5cd65ad33c112f367478404014e7e20c487e1ee57a460ad568a352b91f40 | Triage

Submit
Reports

Overview

overview

Static

static

1

Enquiry docs.exe

windows7_x64

Enquiry docs.exe

windows10_x64

Sharing

General

Target

Enquiry docs.zip
Size

246KB
Sample

211026-b1w3eahfck
MD5

50fd6589fce8b273570e1130dded5761
SHA1

f4f5209ad44ae7ca5a216ee08e2d82eb5d5e9f82
SHA256

c6fd5cd65ad33c112f367478404014e7e20c487e1ee57a460ad568a352b91f40
SHA512

cd1598eb7427c2c9a76a386ce5f77b683bc204191cd07b84683e0fd723e92f314e86ec50f13cfabd27d3507871149e0a3540d1319248282156ecef328a980d7c

Score

10^/10

xloader ga6b loader persistence rat spyware stealer suricata

Static task

static1

Behavioral task

behavioral1

Sample

Enquiry docs.exe

Resource

win7-en-20210920

xloader ga6b loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Enquiry docs.exe

Resource

win10-en-20211014

xloader ga6b loader persistence rat spyware stealer suricata

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ga6b

C2

http://www.egyptian-museum.com/ga6b/

Decoy

diasporacospices.com

sd-shenghe.com

onlinewritingjobs.net

greenstreamgroup.store

garageair.agency

idh-bf.com

middenhavendambreskens.com

szkoleniawcag.online

wiremefeelings.com

ottosperformance.com

brothermush.com

weiserpath.com

baohiemtv24h.com

glassgalaxynft.com

spiritualmind.space

18130072012.com

3v0.space

smartgadgetscompare.com

corvusexpeditii.xyz

egcontabilidade.website

find0utnowfy.info

soulwinningministry.com

digitaldreamcloud.net

service-portal-kundendaten.com

theselectdifference.com

burodev.com

mustafacesuryildiz.com

grupodeinvestigacion.com

toyotadisurabaya.com

partnerbenifits.com

belledescontos.com

nobodybutgod.com

bumiths.com

acacave.com

septoctets.xyz

www73w.xyz

afghantattoos.com

interiorsbe.com

ara7z.com

qqcx666888.top

onra.top

sunfucker.net

suhuabo.com

tangerineinit.com

era636.com

lovenft.xyz

maviesurdvd.com

gullatz-consulting.com

duopasteleras.com

mystudentregistration.com

5559913.win

gritzcharlestonluxuryinn.store

themexicanbg.com

senshop.store

woodentoysforkids.store

globalgamelan.com

anjumanmuhibaneabbas.com

seattleinsurancebrokers.com

naiduteja049.info

traction.legal

twisteid.com

necesryaou.com

apan-group.com

infinityrope.store

Targets

- Target
  
  Enquiry docs.exe
- Size
  
  259KB
- MD5
  
  57e634d27ebeb3eb96a21efb56654952
- SHA1
  
  3a73a99013039be2615cbefd0cba1e4f5d10ea45
- SHA256
  
  d0df1d753742cd9d3144c77f0b343aac22fdab2a2d32bd41872dd838e2eb8a34
- SHA512
  
  20626c979cee7d4780d95c020e7ee92719595d56f6e5bcdd40a7f746c89f8961c1441c2e8867110478a093bfde4c2085f27b42baf0296274d8f049c2e28de844
Score

10^/10

xloader ga6b loader rat suricata persistence spyware stealer
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderga6bloaderratsuricata

behavioral2

xloaderga6bloaderpersistenceratspywarestealersuricata

© 2018-2024

Terms | Privacy