xloader | 0b2a2fde35c75554477dc7ab7156423e251778db955aecb77aa95e5acdd0c2a2 | Triage

Sharing

General

Target

tmp/0b2a2fde35c75554477dc7ab7156423e251778db955aecb77aa95e5acdd0c2a2.xls
Size

229KB
Sample

211210-kcxtgahbgl
MD5

1026a44a21abd155aaa31cf41dce2e49
SHA1

98e01c50f0c58c093aa22b0a6ba398c5aa0e71d2
SHA256

0b2a2fde35c75554477dc7ab7156423e251778db955aecb77aa95e5acdd0c2a2
SHA512

e1dd384a7d01ab40421de3245f56303dff53ce810beedfe53befe60cdeb4be818631878cced9ea8a7a225237ee66591512d4e6a4ca13dfac5115c2a6c55c7128

Score

10^/10

xloader ef6c loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ef6c

C2

http://www.fis.photos/ef6c/

Decoy

gicaredocs.com

govusergroup.com

conversationspit.com

brondairy.com

rjtherealest.com

xn--9m1bq8wgkag3rjvb.com

mylori.net

softandcute.store

ahljsm.com

shacksolid.com

weekendmusecollection.com

gaminghallarna.net

pgonline111.online

44mpt.xyz

ambrandt.com

eddytattoo.com

blendeqes.com

upinmyfeels.com

lacucinadesign.com

docomoau.xyz

Targets

- Target
  
  tmp/0b2a2fde35c75554477dc7ab7156423e251778db955aecb77aa95e5acdd0c2a2.xls
- Size
  
  229KB
- MD5
  
  1026a44a21abd155aaa31cf41dce2e49
- SHA1
  
  98e01c50f0c58c093aa22b0a6ba398c5aa0e71d2
- SHA256
  
  0b2a2fde35c75554477dc7ab7156423e251778db955aecb77aa95e5acdd0c2a2
- SHA512
  
  e1dd384a7d01ab40421de3245f56303dff53ce810beedfe53befe60cdeb4be818631878cced9ea8a7a225237ee66591512d4e6a4ca13dfac5115c2a6c55c7128
Score

10^/10

xloader ef6c loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderef6cloaderratsuricata

behavioral2