xloader | 5f68d743559b59681d1bc2b6bac40f5cc4e3155a2c77f11cbbde4337729fbe02 | Triage

Submit
Reports

Overview

overview

Static

static

tmp/5f68d7...02.xls

windows7_x64

tmp/5f68d7...02.xls

windows10_x64

1

Sharing

General

Target

tmp/5f68d743559b59681d1bc2b6bac40f5cc4e3155a2c77f11cbbde4337729fbe02.xls
Size

310KB
Sample

220112-kgbrssbhen
MD5

a3d4cdc8a20ab70adb1e9cb60a4b5a17
SHA1

b216487eafb1f1e8017a1a4992484a720c6852be
SHA256

5f68d743559b59681d1bc2b6bac40f5cc4e3155a2c77f11cbbde4337729fbe02
SHA512

1d6168562018006ca5c29a4af03938b328fe00de3d5c4bf0e1141a90172643d1977cafddaacc8a6a7759747d69d39300c1c790e280c57db3aa966b019c7b3329

Score

10^/10

xloader nt3f loader rat suricata

Static task

static1

Behavioral task

behavioral1

Sample

tmp/5f68d743559b59681d1bc2b6bac40f5cc4e3155a2c77f11cbbde4337729fbe02.xls

Resource

win7-en-20211208

xloader nt3f loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

tmp/5f68d743559b59681d1bc2b6bac40f5cc4e3155a2c77f11cbbde4337729fbe02.xls

Resource

win10-en-20211208

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

elainemaxwellcoaching.com

1388xc.com

juveniscloud.com

bsauksjon.com

the-waterkooler.com

comment-changer-sa-vie.com

psmcnd.top

rhodesleadingedge.com

mccuelawfirm.com

skinnscience.club

hype-clicks.com

liaojinc.xyz

okmakers.com

ramblertour.online

wickedhunterworld.com

fit-threads.com

cookidoo.website

magentabin.com

pynch1.com

best-paper-to-know-today.info

allmight.net

monicraftsprintables.com

avataroasis.com

10dian-4.com

cozastore.net

capitalcased.com

spacezanome.xyz

feiyangmi.com

11opus.com

getinteriorsolution.com

tidyhutstore.com

amazingpomskyfamily.com

tfcvintage.com

halfanape.com

rotakb.com

martinasfood.com

the-thanks.com

mithilmehta.com

em-photo.art

primerepro.com

lankasirinspa.com

gtbaibang.com

zealandiatobacco.com

deepikatransportpackers.com

eagle-meter.com

Targets

- Target
  
  tmp/5f68d743559b59681d1bc2b6bac40f5cc4e3155a2c77f11cbbde4337729fbe02.xls
- Size
  
  310KB
- MD5
  
  a3d4cdc8a20ab70adb1e9cb60a4b5a17
- SHA1
  
  b216487eafb1f1e8017a1a4992484a720c6852be
- SHA256
  
  5f68d743559b59681d1bc2b6bac40f5cc4e3155a2c77f11cbbde4337729fbe02
- SHA512
  
  1d6168562018006ca5c29a4af03938b328fe00de3d5c4bf0e1141a90172643d1977cafddaacc8a6a7759747d69d39300c1c790e280c57db3aa966b019c7b3329
Score

10^/10

xloader nt3f loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Exploitation for Client Execution

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloadernt3floaderratsuricata

behavioral2

© 2018-2024

Terms | Privacy