xloader | 1ea4325defe122660025640e56aa51f5f2b131ac032a50de3e2d9a0a66254920 | Triage

Submit
Reports

Overview

overview

Static

static

1

Port_UETQY...df.exe

windows7_x64

Port_UETQY...df.exe

windows10_x64

Sharing

General

Target

Port_UETQYDYA_99381,pdf.exe
Size

246KB
Sample

211028-psv22agcgn
MD5

6013bdae92b82faae5b32efadb39530f
SHA1

6eec1e1ab9c075b3126987d49bf4540b37accb9f
SHA256

1ea4325defe122660025640e56aa51f5f2b131ac032a50de3e2d9a0a66254920
SHA512

cbe047531effb3718c66aa298a39a5a67c18c8da2b661704938c3993bac7e50e0df4f082949e4ad79687e4d296c9b4d376ee189821ebd182047caec8342fc8ec

Score

10^/10

xloader dgt9 loader persistence rat spyware stealer suricata

Static task

static1

Behavioral task

behavioral1

Sample

Port_UETQYDYA_99381,pdf.exe

Resource

win7-en-20210920

xloader dgt9 loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Port_UETQYDYA_99381,pdf.exe

Resource

win10-en-20210920

xloader dgt9 loader persistence rat spyware stealer suricata

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dgt9

C2

http://www.discountaquarium.com/dgt9/

Decoy

glimpse-media.com

crimsongomidv.xyz

seo-clicks6.com

cloudbreakhq.com

oakabbey.net

findcasinoslots.com

thehelloloveshop.com

havetsuczyli.quest

celestialtransportation.net

nianlun.wiki

valentinaturals.com

808gang.net

tykaa.com

sparoom.store

empregosbr1.online

visaractivateddprocessing.com

industriamadereraargentina.com

ekopressbrake.com

984561.com

oklahomacasinoreviews.com

weihao.online

ct5k.com

ncya14.xyz

drinkrhino.com

syrianwindow.com

dsj2015.com

income-icm.com

rdaubuisson.com

686281.com

crushanxiety.com

tetstore.com

api-23nnys.com

jizhibao.xyz

echosymbol.com

gftsets.com

tenlog066.xyz

syzhangyi.com

fortlewisapartment.com

flatironstreeservice.com

daomars.com

metaverse360.biz

suplena.top

rontestcfb29.com

christmaspyjamashop.com

lftreasures.com

datsdopedesign.com

recloud-inc.com

maloma4u.com

imagesetblues.paris

wantto.net

barco-group.com

ebonygirls.net

freenewgameonline.com

berryfreshcans.com

ez.money

maxicashprofgt.xyz

wilyardmarketing.com

sukien-membership-garana.com

andrewwoodrealty.com

efllubricants.com

wwwa526.com

khl0q.com

beijixing-zs.com

suwei8.com

Targets

- Target
  
  Port_UETQYDYA_99381,pdf.exe
- Size
  
  246KB
- MD5
  
  6013bdae92b82faae5b32efadb39530f
- SHA1
  
  6eec1e1ab9c075b3126987d49bf4540b37accb9f
- SHA256
  
  1ea4325defe122660025640e56aa51f5f2b131ac032a50de3e2d9a0a66254920
- SHA512
  
  cbe047531effb3718c66aa298a39a5a67c18c8da2b661704938c3993bac7e50e0df4f082949e4ad79687e4d296c9b4d376ee189821ebd182047caec8342fc8ec
Score

10^/10

xloader dgt9 loader rat suricata persistence spyware stealer
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderdgt9loaderratsuricata

behavioral2

xloaderdgt9loaderpersistenceratspywarestealersuricata

© 2018-2024

Terms | Privacy