xloader | 26da8ebb14184edf1c85c0d5981d81e441847856cdac50d5efe108a5e3424829 | Triage

Submit
Reports

Overview

overview

Static

static

tmp/26da8e...29.xls

windows7_x64

tmp/26da8e...29.xls

windows10-2004_x64

1

Sharing

General

Target

tmp/26da8ebb14184edf1c85c0d5981d81e441847856cdac50d5efe108a5e3424829.xls
Size

301KB
Sample

220117-q9nvqaahal
MD5

27307aea0f6f1b4b37f1e9949710d6f1
SHA1

249f3fe9f387feb6abf8323043705d367063b1aa
SHA256

26da8ebb14184edf1c85c0d5981d81e441847856cdac50d5efe108a5e3424829
SHA512

e6847c0c946dfafbc57c2933af0e6fb4e32b44edab75a0750509c9b3b16331b0b3a4db1a9bf247d86f8d47ea2365c6e4f32d2cf36d093db9c2e4fe8b920285ae

Score

10^/10

xloader nt3f loader persistence rat suricata

Static task

static1

Behavioral task

behavioral1

Sample

tmp/26da8ebb14184edf1c85c0d5981d81e441847856cdac50d5efe108a5e3424829.xls

Resource

win7-en-20211208

xloader nt3f loader persistence rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

tmp/26da8ebb14184edf1c85c0d5981d81e441847856cdac50d5efe108a5e3424829.xls

Resource

win10v2004-en-20220113

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

elainemaxwellcoaching.com

1388xc.com

juveniscloud.com

bsauksjon.com

the-waterkooler.com

comment-changer-sa-vie.com

psmcnd.top

rhodesleadingedge.com

mccuelawfirm.com

skinnscience.club

hype-clicks.com

liaojinc.xyz

okmakers.com

ramblertour.online

wickedhunterworld.com

fit-threads.com

cookidoo.website

magentabin.com

pynch1.com

best-paper-to-know-today.info

allmight.net

monicraftsprintables.com

avataroasis.com

10dian-4.com

cozastore.net

capitalcased.com

spacezanome.xyz

feiyangmi.com

11opus.com

getinteriorsolution.com

tidyhutstore.com

amazingpomskyfamily.com

tfcvintage.com

halfanape.com

rotakb.com

martinasfood.com

the-thanks.com

mithilmehta.com

em-photo.art

primerepro.com

lankasirinspa.com

gtbaibang.com

zealandiatobacco.com

deepikatransportpackers.com

eagle-meter.com

Targets

- Target
  
  tmp/26da8ebb14184edf1c85c0d5981d81e441847856cdac50d5efe108a5e3424829.xls
- Size
  
  301KB
- MD5
  
  27307aea0f6f1b4b37f1e9949710d6f1
- SHA1
  
  249f3fe9f387feb6abf8323043705d367063b1aa
- SHA256
  
  26da8ebb14184edf1c85c0d5981d81e441847856cdac50d5efe108a5e3424829
- SHA512
  
  e6847c0c946dfafbc57c2933af0e6fb4e32b44edab75a0750509c9b3b16331b0b3a4db1a9bf247d86f8d47ea2365c6e4f32d2cf36d093db9c2e4fe8b920285ae
Score

10^/10

xloader nt3f loader persistence rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloadernt3floaderpersistenceratsuricata

behavioral2

© 2018-2024

Terms | Privacy