xloader | 14319c04da7b0b2d6ac7734df48a79589e87f410e5496a4e01804dacdfb3e62f | Triage

Submit
Reports

Overview

overview

Static

static

tmp/14319c...2f.xls

windows7_x64

tmp/14319c...2f.xls

windows10_x64

1

Sharing

General

Target

tmp/14319c04da7b0b2d6ac7734df48a79589e87f410e5496a4e01804dacdfb3e62f.xls
Size

692KB
Sample

211217-k4v4ysebbl
MD5

3fa412e3e3237fec99a8aa0c2e44ee3f
SHA1

1837658576e9508fa5568f6c5af58bf6bb410e97
SHA256

14319c04da7b0b2d6ac7734df48a79589e87f410e5496a4e01804dacdfb3e62f
SHA512

d8ab3f3edd69d86f03df828c2925c7bdc0b59e1422cd06433454f2ee72b7cd3ed86b9f98f4670d234012d1d4816ab397d022ed13a742790bf5f73cbc16561030

Score

10^/10

xloader fqiq loader rat suricata

Static task

static1

Behavioral task

behavioral1

Sample

tmp/14319c04da7b0b2d6ac7734df48a79589e87f410e5496a4e01804dacdfb3e62f.xls

Resource

win7-en-20211208

xloader fqiq loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

tmp/14319c04da7b0b2d6ac7734df48a79589e87f410e5496a4e01804dacdfb3e62f.xls

Resource

win10-en-20211208

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

fqiq

Decoy

driventow.com

ipatchwork.today

bolder.equipment

seal-brother.com

mountlaketerraceapartments.com

weeden.xyz

sanlifalan.com

athafood.com

isshinn1.com

creationslazzaroni.com

eclecticrenaissancewoman.com

satellitephonstore.com

cotchildcare.com

yamacorp.digital

ff4cuno43.xyz

quicksticks.community

govindfinance.com

farmersfirstseed.com

megacinema.club

tablescaperendezvous4two.com

ecarehomes.com

floaterslaser.com

benisano.com

saint444.com

thedusi.com

avafxtrade.online

hanenosuke.com

suntioil4u.com

healthyweekendtips.com

24000words.com

ofbchina.net

begukiu0.info

wolmoda.com

mask60.com

4bellemaison.com

mambacustomboats.com

sedsn.com

doggycc.com

kangrungao.com

pharmacistcharisma.com

passiverewardssystems.com

qywyfeo8.xyz

shenjiclass.com

rdoi.top

lavishbynovell.com

fleetton.com

hillcresthomegroup.com

hartfulcleaning.com

srofkansas.com

applebroog.industries

phillytrainers.com

dmc--llc.com

sosoon.store

daysyou.com

controldatasa.com

markarge.com

hirayaawards.com

clinicscluster.com

sophiagunterman.art

kirtansangeet.com

residential.insure

ribbonofficial.com

qianhaijcc.com

fytvankin.quest

esyscoloradosprings.com

Targets

- Target
  
  tmp/14319c04da7b0b2d6ac7734df48a79589e87f410e5496a4e01804dacdfb3e62f.xls
- Size
  
  692KB
- MD5
  
  3fa412e3e3237fec99a8aa0c2e44ee3f
- SHA1
  
  1837658576e9508fa5568f6c5af58bf6bb410e97
- SHA256
  
  14319c04da7b0b2d6ac7734df48a79589e87f410e5496a4e01804dacdfb3e62f
- SHA512
  
  d8ab3f3edd69d86f03df828c2925c7bdc0b59e1422cd06433454f2ee72b7cd3ed86b9f98f4670d234012d1d4816ab397d022ed13a742790bf5f73cbc16561030
Score

10^/10

xloader fqiq loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderfqiqloaderratsuricata

behavioral2

© 2018-2024

Terms | Privacy