xloader | 908076c97e6c7f9ab60116e89ca8d48597379737cd61382b9ff87c90312a4169 | Triage

Sharing

General

Target

SWIFT_6606482599.xlsx
Size

632KB
Sample

220308-vsmnjscdhl
MD5

60fcf19d11208963f722192d0ba0d76d
SHA1

3e6084555c833d215621f6788cb7716bf2bef277
SHA256

908076c97e6c7f9ab60116e89ca8d48597379737cd61382b9ff87c90312a4169
SHA512

b15a15939f8d56017c539a58e39d11d9f0a2d9cd76a03f74950e0ca0d3b048aa0b64ede1af5aed69015c30f7b5434c6380f52a2b7ef0dad6b436733f86ccf31d

Score

10^/10

xloader p2a5 evasion loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

p2a5

Decoy

gorillaslovebananas.com

zonaextasis.com

digitalpravin.online

memorialdoors.com

departmenteindhoven.com

vipulb.com

ruyibao365.com

ynpzz.com

matthewandjessica.com

winfrey2024.com

janetride.com

arairazur.xyz

alltheheads.com

amayawebdesigns.com

califunder.com

blacksource.xyz

farmasi.agency

ilmkibahar.com

thinkcentury.net

eskortclub.com

Targets

- Target
  
  SWIFT_6606482599.xlsx
- Size
  
  632KB
- MD5
  
  60fcf19d11208963f722192d0ba0d76d
- SHA1
  
  3e6084555c833d215621f6788cb7716bf2bef277
- SHA256
  
  908076c97e6c7f9ab60116e89ca8d48597379737cd61382b9ff87c90312a4169
- SHA512
  
  b15a15939f8d56017c539a58e39d11d9f0a2d9cd76a03f74950e0ca0d3b048aa0b64ede1af5aed69015c30f7b5434c6380f52a2b7ef0dad6b436733f86ccf31d
Score

10^/10

xloader p2a5 evasion loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Looks for VirtualBox Guest Additions in registry
  evasion
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderp2a5evasionloaderratsuricata

behavioral2