xloader | 0f4df99356c9f5c4d67b60d3a7d352782aa83ea82057716eb706d480c8616b26 | Triage

Submit
Reports

Overview

overview

Static

static

Order Conf...4.xlsx

windows7_x64

Order Conf...4.xlsx

windows10_x64

1

Sharing

General

Target

Order Confirmation nr. 2021-O-1274.xlsx
Size

797KB
Sample

211214-qg8pesggcq
MD5

f2c6d74d9faa8dd958dbd50101a95792
SHA1

489079097bc05626dccd8d6079e925079305ca43
SHA256

0f4df99356c9f5c4d67b60d3a7d352782aa83ea82057716eb706d480c8616b26
SHA512

43183d5b1bd787789ffd40d323b1f236c246ddabcbde366671c34d7b733fb94c470839c9810d7cd4f0338ea235052b7c860e9ec1b15a1b8c414e7aec3b86ed2e

Score

10^/10

xloader fqiq loader rat suricata

Static task

static1

Behavioral task

behavioral1

Sample

Order Confirmation nr. 2021-O-1274.xlsx

Resource

win7-en-20211208

xloader fqiq loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Order Confirmation nr. 2021-O-1274.xlsx

Resource

win10-en-20211208

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

fqiq

C2

http://www.esyscoloradosprings.com/fqiq/

Decoy

driventow.com

ipatchwork.today

bolder.equipment

seal-brother.com

mountlaketerraceapartments.com

weeden.xyz

sanlifalan.com

athafood.com

isshinn1.com

creationslazzaroni.com

eclecticrenaissancewoman.com

satellitephonstore.com

cotchildcare.com

yamacorp.digital

ff4cuno43.xyz

quicksticks.community

govindfinance.com

farmersfirstseed.com

megacinema.club

tablescaperendezvous4two.com

ecarehomes.com

floaterslaser.com

benisano.com

saint444.com

thedusi.com

avafxtrade.online

hanenosuke.com

suntioil4u.com

healthyweekendtips.com

24000words.com

ofbchina.net

begukiu0.info

wolmoda.com

mask60.com

4bellemaison.com

mambacustomboats.com

sedsn.com

doggycc.com

kangrungao.com

pharmacistcharisma.com

passiverewardssystems.com

qywyfeo8.xyz

shenjiclass.com

rdoi.top

lavishbynovell.com

fleetton.com

hillcresthomegroup.com

hartfulcleaning.com

srofkansas.com

applebroog.industries

phillytrainers.com

dmc--llc.com

sosoon.store

daysyou.com

controldatasa.com

markarge.com

hirayaawards.com

clinicscluster.com

sophiagunterman.art

kirtansangeet.com

residential.insure

ribbonofficial.com

qianhaijcc.com

fytvankin.quest

Targets

- Target
  
  Order Confirmation nr. 2021-O-1274.xlsx
- Size
  
  797KB
- MD5
  
  f2c6d74d9faa8dd958dbd50101a95792
- SHA1
  
  489079097bc05626dccd8d6079e925079305ca43
- SHA256
  
  0f4df99356c9f5c4d67b60d3a7d352782aa83ea82057716eb706d480c8616b26
- SHA512
  
  43183d5b1bd787789ffd40d323b1f236c246ddabcbde366671c34d7b733fb94c470839c9810d7cd4f0338ea235052b7c860e9ec1b15a1b8c414e7aec3b86ed2e
Score

10^/10

xloader fqiq loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderfqiqloaderratsuricata

behavioral2

© 2018-2024

Terms | Privacy