xloader | 9af4d9ef8b2a850854ae23411d44d3603147c26898bca1010fd2f9b16f6d456e | Triage

Sharing

General

Target

9af4d9ef8b2a850854ae23411d44d3603147c26898bca1010fd2f9b16f6d456e
Size

248KB
Sample

220128-g69hkshaf5
MD5

c2ca2ba9c38eb02217588662717ba6c3
SHA1

8a897f24d2e564af2c2fcc272ab0cfbef10611b5
SHA256

9af4d9ef8b2a850854ae23411d44d3603147c26898bca1010fd2f9b16f6d456e
SHA512

7c7a80f37013b8b5fe27e0c9c3144884abde6ca49484c3e8c6cc78daa9f3b6ac890577247223e7d4875b865244e8732840c6a47170fbe2c7f27406ba4c8f52a6

Score

10^/10

xloader b80i loader persistence rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b80i

Decoy

yixuan5.com

jiazheng369.com

danielleefelipe.net

micorgas.com

uvywah.com

nbjcgl.com

streets4suites.com

hempgotas.com

postmoon.xyz

gaboshoes.com

pastodwes.com

libes.asia

damusalama.com

youngliving1.com

mollyagee.com

branchwallet.com

seebuehnegoerlitz.com

inventors.community

teentykarm.quest

927291.com

Targets

- Target
  
  9af4d9ef8b2a850854ae23411d44d3603147c26898bca1010fd2f9b16f6d456e
- Size
  
  248KB
- MD5
  
  c2ca2ba9c38eb02217588662717ba6c3
- SHA1
  
  8a897f24d2e564af2c2fcc272ab0cfbef10611b5
- SHA256
  
  9af4d9ef8b2a850854ae23411d44d3603147c26898bca1010fd2f9b16f6d456e
- SHA512
  
  7c7a80f37013b8b5fe27e0c9c3144884abde6ca49484c3e8c6cc78daa9f3b6ac890577247223e7d4875b865244e8732840c6a47170fbe2c7f27406ba4c8f52a6
Score

10^/10

xloader b80i loader persistence rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Sets service image path in registry
  persistence
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderb80iloaderpersistencerat