xloader | 8827c12e68e528f3c87dc8caa02787af7107965b13496cdeca7198bfd5b5e30a | Triage

Submit
Reports

Overview

overview

Static

static

SHIPPING D...T.xlsx

windows7_x64

SHIPPING D...T.xlsx

windows10_x64

1

Sharing

General

Target

SHIPPING DOCUMENT.xlsx
Size

432KB
Sample

211029-vej1haadbn
MD5

94d6ece4ddb9b6cc4445ca5edfbc6f87
SHA1

3211b9c652ddaaa37743b864ad30d545cee0c405
SHA256

8827c12e68e528f3c87dc8caa02787af7107965b13496cdeca7198bfd5b5e30a
SHA512

c83c4c23f8dfa0f087c2dd2ae2544b3dd093c38c89667691c056a5ade9f3149109b7db672d79d3f1ea885e2139b278521a608c96b6d27e78644658ca64efe854

Score

10^/10

xloader mwev loader rat suricata

Static task

static1

Behavioral task

behavioral1

Sample

SHIPPING DOCUMENT.xlsx

Resource

win7-en-20211014

xloader mwev loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

SHIPPING DOCUMENT.xlsx

Resource

win10-en-20210920

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mwev

C2

http://www.scion-go-getter.com/mwev/

Decoy

9linefarms.com

meadow-spring.com

texascountrycharts.com

chinatowndeliver.com

grindsword.com

thegurusigavebirthto.com

rip-online.com

lm-safe-keepingtoyof6.xyz

plumbtechconsulting.com

jgoerlach.com

inbloomsolutions.com

foxandmew.com

tikomobile.store

waybunch.com

thepatriottutor.com

qask.top

pharmacylinked.com

ishii-miona.com

sugarandrocks.com

anabolenpower.net

my9m.com

ywboxiong.xyz

primetire.net

yshxdys.com

royallecleaning.com

xtrategit.com

almashrabia.net

bundlezandco.com

sandman.network

vinhomes-grand-park.com

jbarecipes.com

squareleatherbox.net

breathechurch.digital

wodemcil.com

carthy.foundation

galimfish.com

reflectbag.com

lheteclase.quest

yourvirtualevent.services

custercountycritique.com

liyahgadgets.com

sweetascaramelllc.com

lzgirlz.com

flydubaime.com

aanhanger-verhuur.com

schooldiry.com

theroadtorodriguez.com

mrteez.club

gxystgs.com

runz.online

kometbux.com

mintyhelper.com

bestinvest-4u.com

bjxxc.com

e-readertnpasumo5.xyz

experimentwithoutlimits.com

21yingyang.com

recbi56ni.com

tabulose-milfs-live.com

uglyatoz.com

websitessample.com

gogopficg.xyz

fourthandwhiteoak.com

fulvousemollientplanet.com

Targets

- Target
  
  SHIPPING DOCUMENT.xlsx
- Size
  
  432KB
- MD5
  
  94d6ece4ddb9b6cc4445ca5edfbc6f87
- SHA1
  
  3211b9c652ddaaa37743b864ad30d545cee0c405
- SHA256
  
  8827c12e68e528f3c87dc8caa02787af7107965b13496cdeca7198bfd5b5e30a
- SHA512
  
  c83c4c23f8dfa0f087c2dd2ae2544b3dd093c38c89667691c056a5ade9f3149109b7db672d79d3f1ea885e2139b278521a608c96b6d27e78644658ca64efe854
Score

10^/10

xloader mwev loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloadermwevloaderratsuricata

behavioral2

© 2018-2024

Terms | Privacy