xloader | ef986fa9ac50432d1fc1be8e0ace872cbf28cf51d967d6d35647aa3f77acf94e | Triage

Submit
Reports

Overview

overview

Static

static

1

payload.exe

windows10_x64

Resubmissions

19-01-2022 19:22

220119-x28ngscegm 10

19-01-2022 18:50

220119-xgxeqacdg6 10

Sharing

General

Target

payload.exe
Size

297KB
Sample

220119-xgxeqacdg6
MD5

aefc9702ff5d6d9064ec8e5ea82e4870
SHA1

716ad70dc07a6b7d3c46209de8627bf3f3535361
SHA256

ef986fa9ac50432d1fc1be8e0ace872cbf28cf51d967d6d35647aa3f77acf94e
SHA512

e5180f0d131111627300dd3b61abae59cf77e0d2a4aa50d9b22dec1c270a865caed5fa4130174930ae2810584c4169e9bf56a0b597401014737d60b250580b55

Score

10^/10

xloader uar3 loader persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

payload.exe

Resource

win10-en-20211208

xloader uar3 loader persistence rat spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uar3

Decoy

sgadvocats.com

mjscannabus.com

hilldaley.com

ksdollhouse.com

hotgiftboutique.com

purebloodsmeet.com

relaunched.info

cap-glove.com

productcollection.store

fulikyy.xyz

remoteaviationjobs.com

bestcleancrystal.com

virtualorganizationpartner.com

bookgocar.com

hattuafhv.quest

makonigroup.com

officecom-myaccount.com

malgorzata-lac.com

e-learningeducators.com

hygilaur.com

kgv-lachswehr.com

salazarcomunicacion.com

robopython.com

corporateequity.online

complianceservicegroup.com

aperza-ex.com

webflowusa.com

asesoriasfinancieras.xyz

missolivesbranches.com

numiquest.com

criskconsultancy.com

gotemup.com

themaptalk.com

lakebalboahalf.com

cateringfrenchcroissant.com

paddocklakerealestate.com

lojaquerosurprezza.store

courtneywhitearmusic.com

geovannimaquinadevendas.online

pricklypairjazz.com

engagedigi.com

conduitforthespirit.com

anaheimaletrail.com

wholesalemall.store

alertsbecu.com

gestion-kayfra.com

youcanstores.com

qsuo.net

formadv.info

dihesia.xyz

carrreir.com

twenteeminuteswithtee.com

realliferenewal.com

officialprokodsukses.icu

stanfordgrouploscabos.com

maxicashpromir.xyz

zysqshjs.com

trc-clicks.com

chsclbd.com

amdproduce.net

republicoflies.com

beaux-parents.com

lucrativeapp.com

milbombas.com

alexanderplaywear.com

Targets

- Target
  
  payload.exe
- Size
  
  297KB
- MD5
  
  aefc9702ff5d6d9064ec8e5ea82e4870
- SHA1
  
  716ad70dc07a6b7d3c46209de8627bf3f3535361
- SHA256
  
  ef986fa9ac50432d1fc1be8e0ace872cbf28cf51d967d6d35647aa3f77acf94e
- SHA512
  
  e5180f0d131111627300dd3b61abae59cf77e0d2a4aa50d9b22dec1c270a865caed5fa4130174930ae2810584c4169e9bf56a0b597401014737d60b250580b55
Score

10^/10

xloader uar3 loader persistence rat spyware stealer
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderuar3loaderpersistenceratspywarestealer

© 2018-2024

Terms | Privacy