xloader | 678f04893ab76acac51db1dbfc38aa7b5bc442055e00d6f4dbc209e8d065b086 | Triage

Sharing

General

Target

order confirmation payment copy.exe
Size

29KB
Sample

220222-r9we8sabd8
MD5

52b704a5b91990616f13578732a79b97
SHA1

fd6c83a29b70dbe8fa9dbc5971ec03f403c5061e
SHA256

678f04893ab76acac51db1dbfc38aa7b5bc442055e00d6f4dbc209e8d065b086
SHA512

416fc722b9d7d327479666bbec60fe72117cdcf7eae58265004de483641c363601b6267a4c2367256d37a2498fd44ebe6ba675c642846a378b880cbd244c0056

Score

10^/10

xloader po6r loader persistence rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

po6r

Decoy

jnhuichuangxin.com

mubashir.art

extol.design

doyyindh.xyz

milanoautoexperts.com

4thefringe.com

453511.com

sellathonautocredit.com

velgian.com

6672pk.com

wodeluzhou.com

sumiyoshiku-hizaita.xyz

imoveldeprimeira.com

dgjssp.com

endokc.com

side-clicks.com

cashndashfinancial.com

vanhemelryck.info

agamitrading.com

woofgang.xyz

Targets

- Target
  
  order confirmation payment copy.exe
- Size
  
  29KB
- MD5
  
  52b704a5b91990616f13578732a79b97
- SHA1
  
  fd6c83a29b70dbe8fa9dbc5971ec03f403c5061e
- SHA256
  
  678f04893ab76acac51db1dbfc38aa7b5bc442055e00d6f4dbc209e8d065b086
- SHA512
  
  416fc722b9d7d327479666bbec60fe72117cdcf7eae58265004de483641c363601b6267a4c2367256d37a2498fd44ebe6ba675c642846a378b880cbd244c0056
Score

10^/10

xloader po6r loader persistence rat
- Modifies WinLogon for persistence
  persistence
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderpo6rloaderpersistencerat

behavioral2