xloader | 9ab7f9ff54402fc85d3afc64ab14b68c29e9cf96e1c06827abd6d5cf59473aef | Triage

Submit
Reports

Overview

overview

Static

static

JANUARY_QU...N.xlsx

windows7_x64

JANUARY_QU...N.xlsx

windows10_x64

1

Sharing

General

Target

JANUARY_QUOTATION.xlsx
Size

187KB
Sample

220125-lrp8lsddg5
MD5

13024c1d5f2287894cd570e589274072
SHA1

bbb1cf751244ce15e3cdff5ab7ef85f3946f7585
SHA256

9ab7f9ff54402fc85d3afc64ab14b68c29e9cf96e1c06827abd6d5cf59473aef
SHA512

e858d8301f679689e0889e146e3684f5254c7dbbed865d8a3628ee4822af9420e174f864e29085d4b6d591c5922adcfeb5f2c0e92fc65e351025de410a26d4e3

Score

10^/10

xloader nt3f loader rat

Static task

static1

Behavioral task

behavioral1

Sample

JANUARY_QUOTATION.xlsx

Resource

win7-en-20211208

xloader nt3f loader rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

JANUARY_QUOTATION.xlsx

Resource

win10-en-20211208

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

elainemaxwellcoaching.com

1388xc.com

juveniscloud.com

bsauksjon.com

the-waterkooler.com

comment-changer-sa-vie.com

psmcnd.top

rhodesleadingedge.com

mccuelawfirm.com

skinnscience.club

hype-clicks.com

liaojinc.xyz

okmakers.com

ramblertour.online

wickedhunterworld.com

fit-threads.com

cookidoo.website

magentabin.com

pynch1.com

best-paper-to-know-today.info

allmight.net

monicraftsprintables.com

avataroasis.com

10dian-4.com

cozastore.net

capitalcased.com

spacezanome.xyz

feiyangmi.com

11opus.com

getinteriorsolution.com

tidyhutstore.com

amazingpomskyfamily.com

tfcvintage.com

halfanape.com

rotakb.com

martinasfood.com

the-thanks.com

mithilmehta.com

em-photo.art

primerepro.com

lankasirinspa.com

gtbaibang.com

zealandiatobacco.com

deepikatransportpackers.com

eagle-meter.com

Targets

- Target
  
  JANUARY_QUOTATION.xlsx
- Size
  
  187KB
- MD5
  
  13024c1d5f2287894cd570e589274072
- SHA1
  
  bbb1cf751244ce15e3cdff5ab7ef85f3946f7585
- SHA256
  
  9ab7f9ff54402fc85d3afc64ab14b68c29e9cf96e1c06827abd6d5cf59473aef
- SHA512
  
  e858d8301f679689e0889e146e3684f5254c7dbbed865d8a3628ee4822af9420e174f864e29085d4b6d591c5922adcfeb5f2c0e92fc65e351025de410a26d4e3
Score

10^/10

xloader nt3f loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Exploitation for Client Execution

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloadernt3floaderrat

behavioral2

© 2018-2024

Terms | Privacy