xloader | aba2eb67f79087c5e7cc125933d59e7d2b44fee3ea8a50fb6f5b4520b0c196ea | Triage

Submit
Reports

Overview

overview

Static

static

tmp/aba2eb...ea.xls

windows7_x64

tmp/aba2eb...ea.xls

windows10_x64

1

Sharing

General

Target

tmp/aba2eb67f79087c5e7cc125933d59e7d2b44fee3ea8a50fb6f5b4520b0c196ea.xls
Size

796KB
Sample

211215-sm3fpsagdj
MD5

538bdbae2c32d899af9a4bc40767e14b
SHA1

e208398487e9622bf718833968f327da8c70f4c8
SHA256

aba2eb67f79087c5e7cc125933d59e7d2b44fee3ea8a50fb6f5b4520b0c196ea
SHA512

32ca367c290b6f311276cb3eb02405613fe21b4744344fba58ab9b91318ac6745481b06cf613462c17f64943b159be645750585b5335da78ea0409bdcd5cdf9a

Score

10^/10

xloader fqiq loader rat suricata

Static task

static1

Behavioral task

behavioral1

Sample

tmp/aba2eb67f79087c5e7cc125933d59e7d2b44fee3ea8a50fb6f5b4520b0c196ea.xls

Resource

win7-en-20211208

xloader fqiq loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

tmp/aba2eb67f79087c5e7cc125933d59e7d2b44fee3ea8a50fb6f5b4520b0c196ea.xls

Resource

win10-en-20211208

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

fqiq

Decoy

driventow.com

ipatchwork.today

bolder.equipment

seal-brother.com

mountlaketerraceapartments.com

weeden.xyz

sanlifalan.com

athafood.com

isshinn1.com

creationslazzaroni.com

eclecticrenaissancewoman.com

satellitephonstore.com

cotchildcare.com

yamacorp.digital

ff4cuno43.xyz

quicksticks.community

govindfinance.com

farmersfirstseed.com

megacinema.club

tablescaperendezvous4two.com

ecarehomes.com

floaterslaser.com

benisano.com

saint444.com

thedusi.com

avafxtrade.online

hanenosuke.com

suntioil4u.com

healthyweekendtips.com

24000words.com

ofbchina.net

begukiu0.info

wolmoda.com

mask60.com

4bellemaison.com

mambacustomboats.com

sedsn.com

doggycc.com

kangrungao.com

pharmacistcharisma.com

passiverewardssystems.com

qywyfeo8.xyz

shenjiclass.com

rdoi.top

lavishbynovell.com

fleetton.com

hillcresthomegroup.com

hartfulcleaning.com

srofkansas.com

applebroog.industries

phillytrainers.com

dmc--llc.com

sosoon.store

daysyou.com

controldatasa.com

markarge.com

hirayaawards.com

clinicscluster.com

sophiagunterman.art

kirtansangeet.com

residential.insure

ribbonofficial.com

qianhaijcc.com

fytvankin.quest

esyscoloradosprings.com

Targets

- Target
  
  tmp/aba2eb67f79087c5e7cc125933d59e7d2b44fee3ea8a50fb6f5b4520b0c196ea.xls
- Size
  
  796KB
- MD5
  
  538bdbae2c32d899af9a4bc40767e14b
- SHA1
  
  e208398487e9622bf718833968f327da8c70f4c8
- SHA256
  
  aba2eb67f79087c5e7cc125933d59e7d2b44fee3ea8a50fb6f5b4520b0c196ea
- SHA512
  
  32ca367c290b6f311276cb3eb02405613fe21b4744344fba58ab9b91318ac6745481b06cf613462c17f64943b159be645750585b5335da78ea0409bdcd5cdf9a
Score

10^/10

xloader fqiq loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderfqiqloaderratsuricata

behavioral2

© 2018-2024

Terms | Privacy