xloader

General

Target

Page-1029382393.exe
Size

480KB
Sample

220131-pdrq3ahbbk
MD5

2d6983ca4172cd59f90949443d4b5596
SHA1

06ec7184a82223036b85743cdf988f2166fbb4c7
SHA256

547b0c2f7b3ee0275ff34781d0fa579a07d437629c9ee5e81d8782bb7e12dc4e
SHA512

541fc96ee9d4727a2c0980c8553a54285cc511cf3298d5ca07f53340a0e2da493324aead0035433b9bf4fc31cb646de7127921f02e4a4fb334dfc87999859024

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

c6si

Decoy

tristateinc.construction

americanscaregroundstexas.com

kanimisoshiru.com

wihling.com

fishcheekstosa.com

parentsfuid.com

greenstandmarket.com

fc8fla8kzq.com

gametwist-83.club

jobsncvs.com

directrealtysells.com

avida2015.com

conceptasite.net

arkaneattire.com

indev-mobility.info

2160centurypark412.com

valefloor.com

septembership.com

stackflix.com

jimc0sales.net

Targets

- Target
  
  Page-1029382393.exe
- Size
  
  480KB
- MD5
  
  2d6983ca4172cd59f90949443d4b5596
- SHA1
  
  06ec7184a82223036b85743cdf988f2166fbb4c7
- SHA256
  
  547b0c2f7b3ee0275ff34781d0fa579a07d437629c9ee5e81d8782bb7e12dc4e
- SHA512
  
  541fc96ee9d4727a2c0980c8553a54285cc511cf3298d5ca07f53340a0e2da493324aead0035433b9bf4fc31cb646de7127921f02e4a4fb334dfc87999859024
Score

10^/10

xloader c6si loader rat suricata persistence
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Sets service image path in registry
  persistence
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Sets service image path in registry

Deletes itself

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2