xloader

General

Target

59994141a89bb9be2d56fb10d81b9ead22f4d171b6e1cc3d8bd406d7fe41b2b2
Size

507KB
Sample

220131-v512psadgm
MD5

2ac9b7aaee0cf79be88ed5703abc75ba
SHA1

4cbecd4bfc4b0af796269b7d08cd9f0ad8d15295
SHA256

59994141a89bb9be2d56fb10d81b9ead22f4d171b6e1cc3d8bd406d7fe41b2b2
SHA512

3c63d5cbe5c0bd78e853cc9873559067bfb7471c28ec9649f18a8323d2189e3b6e01a3dde9a1ade13ad30929b8f5982cceced870332df7b257ec2b7dc9a20f82

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

n58i

Decoy

nl-cafe.com

votetedjaleta.com

britrobertsrealtor.com

globipark.com

citysucces.com

verisignwebsite-verified.com

riddlepc.com

rosecityclimbing.com

oleandrinextract.com

salmankonstruksi.com

needhamchannel.com

refreshx2z.com

youth66.com

pla-russia.com

halloweenmaskpro.com

exdysis.com

1gcz.com

lookgoodman.com

rlxagva.com

stlcityc.com

Targets

- Target
  
  PAYMENT INSTRUCTIONS COPY.exe
- Size
  
  533KB
- MD5
  
  51c32b446180f49c6b6537a25a191b88
- SHA1
  
  5a7187ad9215b34c62f96577286e01cab0436acd
- SHA256
  
  65a1476fde2b2c018f8eaa5e96a77156baeb6f35bd46545db8745fa4fe0c4869
- SHA512
  
  e622dd78122325b22e274238c025d3dfa0577b35ed1509d5fcdc3717a55484326377bc47541ac5c050183f1ab0add718e62f050d1ff1cb305f31c403749737dd
Score

10^/10

xloader n58i loader rat suricata persistence
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Sets service image path in registry
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Sets service image path in registry

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2