xloader | 41b58cddca86e32e7034daf8e97dcdaa04ac6cdcb41eae86be1c3fa7fd05c871 | Triage

Submit
Reports

Overview

overview

Static

static

W6902.xlsx

windows7_x64

W6902.xlsx

windows10_x64

1

Sharing

General

Target

W6902.xlsx
Size

187KB
Sample

220128-zpal2adcek
MD5

9a0e6f87707210a385ef8ed3bf348de3
SHA1

800a9f004b17cd24413eb98c2f6d9fcd02128887
SHA256

41b58cddca86e32e7034daf8e97dcdaa04ac6cdcb41eae86be1c3fa7fd05c871
SHA512

e35a536e9d68da1cc14ea854d977490ed6865cc756c23d479d6a37572f004c2f6b0ab475c9f765434588c827721b3fbc72cf5a33cf6144b92fc205bdc7a96269

Score

10^/10

xloader b80i loader rat suricata

Static task

static1

Behavioral task

behavioral1

Sample

W6902.xlsx

Resource

win7-en-20211208

xloader b80i loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

W6902.xlsx

Resource

win10-en-20211208

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b80i

Decoy

yixuan5.com

jiazheng369.com

danielleefelipe.net

micorgas.com

uvywah.com

nbjcgl.com

streets4suites.com

hempgotas.com

postmoon.xyz

gaboshoes.com

pastodwes.com

libes.asia

damusalama.com

youngliving1.com

mollyagee.com

branchwallet.com

seebuehnegoerlitz.com

inventors.community

teentykarm.quest

927291.com

wohn-union.info

rvmservices.com

cuanquotex.online

buysubarus.com

360e.group

markham.condos

carriewilliamsinc.com

ennitec.com

wildberryhair.com

trulyrun.com

pinkandgrey.info

mnselfservice.com

gabtomenice.com

2thpolis.com

standardcrypro.com

58lif.com

ir-hasnol.com

ggsega.xyz

tipslowclever.rest

atlasgrpltdgh.com

4338agnes.com

hillsncreeks.com

pentest.ink

cevichiles.com

evodoge.com

gooooooo.xyz

ehaszthecarpetbagger.com

finanes.xyz

zoharfine.com

viperiastudios.com

sjljtzsls.com

frentags.art

mediafyagency.com

faydergayremezdayener.net

freelance-rse.com

quickmovecourierservices.com

lexingtonprochoice.com

farmacymerchants.com

inkland-tattoo.com

aloebiotics.com

rampi6.com

bookinggroningen.com

wilkinsutotint.com

inslidr.com

dreamschools.online

Targets

- Target
  
  W6902.xlsx
- Size
  
  187KB
- MD5
  
  9a0e6f87707210a385ef8ed3bf348de3
- SHA1
  
  800a9f004b17cd24413eb98c2f6d9fcd02128887
- SHA256
  
  41b58cddca86e32e7034daf8e97dcdaa04ac6cdcb41eae86be1c3fa7fd05c871
- SHA512
  
  e35a536e9d68da1cc14ea854d977490ed6865cc756c23d479d6a37572f004c2f6b0ab475c9f765434588c827721b3fbc72cf5a33cf6144b92fc205bdc7a96269
Score

10^/10

xloader b80i loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderb80iloaderratsuricata

behavioral2

© 2018-2024

Terms | Privacy