xloader | 54793f5d71ebed0c4db8be0e4a9ba91f873b00cde08244f28601148c4d9b7996 | Triage

Submit
Reports

Overview

overview

Static

static

SHIPPING D...T.xlsx

windows7_x64

SHIPPING D...T.xlsx

windows10_x64

1

Sharing

General

Target

SHIPPING DOCUMENT.xlsx
Size

228KB
Sample

211130-w6mq5sfham
MD5

ee219c2a0145e821ac0b89f0ee081ddb
SHA1

a22a66920171bb0968b627e627645418a4ab983f
SHA256

54793f5d71ebed0c4db8be0e4a9ba91f873b00cde08244f28601148c4d9b7996
SHA512

cf5950deb832c0d864e9a5c845df83d1955462029fa297183b9f041de8d43512f92a9a74b495b3d6fa80dc4e5af88263b3d188d65fbda310fbd5878557cdcdcc

Score

10^/10

xloader mwev loader rat suricata

Static task

static1

Behavioral task

behavioral1

Sample

SHIPPING DOCUMENT.xlsx

Resource

win7-en-20211104

xloader mwev loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

SHIPPING DOCUMENT.xlsx

Resource

win10-en-20211014

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mwev

C2

http://www.scion-go-getter.com/mwev/

Decoy

9linefarms.com

meadow-spring.com

texascountrycharts.com

chinatowndeliver.com

grindsword.com

thegurusigavebirthto.com

rip-online.com

lm-safe-keepingtoyof6.xyz

plumbtechconsulting.com

jgoerlach.com

inbloomsolutions.com

foxandmew.com

tikomobile.store

waybunch.com

thepatriottutor.com

qask.top

pharmacylinked.com

ishii-miona.com

sugarandrocks.com

anabolenpower.net

my9m.com

ywboxiong.xyz

primetire.net

yshxdys.com

royallecleaning.com

xtrategit.com

almashrabia.net

bundlezandco.com

sandman.network

vinhomes-grand-park.com

jbarecipes.com

squareleatherbox.net

breathechurch.digital

wodemcil.com

carthy.foundation

galimfish.com

reflectbag.com

lheteclase.quest

yourvirtualevent.services

custercountycritique.com

liyahgadgets.com

sweetascaramelllc.com

lzgirlz.com

flydubaime.com

aanhanger-verhuur.com

schooldiry.com

theroadtorodriguez.com

mrteez.club

gxystgs.com

runz.online

kometbux.com

mintyhelper.com

bestinvest-4u.com

bjxxc.com

e-readertnpasumo5.xyz

experimentwithoutlimits.com

21yingyang.com

recbi56ni.com

tabulose-milfs-live.com

uglyatoz.com

websitessample.com

gogopficg.xyz

fourthandwhiteoak.com

fulvousemollientplanet.com

Targets

- Target
  
  SHIPPING DOCUMENT.xlsx
- Size
  
  228KB
- MD5
  
  ee219c2a0145e821ac0b89f0ee081ddb
- SHA1
  
  a22a66920171bb0968b627e627645418a4ab983f
- SHA256
  
  54793f5d71ebed0c4db8be0e4a9ba91f873b00cde08244f28601148c4d9b7996
- SHA512
  
  cf5950deb832c0d864e9a5c845df83d1955462029fa297183b9f041de8d43512f92a9a74b495b3d6fa80dc4e5af88263b3d188d65fbda310fbd5878557cdcdcc
Score

10^/10

xloader mwev loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloadermwevloaderratsuricata

behavioral2

© 2018-2024

Terms | Privacy