xloader | 98c9c20fcffa6fe99c0841a33f4a9283552b9393d958818b9b2b610d5467822e | Triage

Sharing

General

Target

5c4dd55a06141f850ddcedb9253ed84c
Size

757KB
Sample

220308-ww2gjsacc3
MD5

5c4dd55a06141f850ddcedb9253ed84c
SHA1

cf217d41e06f4c35eb00e8ad95bbfcd419a75424
SHA256

98c9c20fcffa6fe99c0841a33f4a9283552b9393d958818b9b2b610d5467822e
SHA512

f74078346a44c1902ff2a4bb53ba3cd7dda8a957d8a7ee7033a1739c48f33df363efce6235195dbb46ef3ec4814922bfc08c53750a0300fe1085f7d4d9e33232

Score

10^/10

xloader p2a5 evasion loader persistence rat spyware stealer

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

p2a5

Decoy

gorillaslovebananas.com

zonaextasis.com

digitalpravin.online

memorialdoors.com

departmenteindhoven.com

vipulb.com

ruyibao365.com

ynpzz.com

matthewandjessica.com

winfrey2024.com

janetride.com

arairazur.xyz

alltheheads.com

amayawebdesigns.com

califunder.com

blacksource.xyz

farmasi.agency

ilmkibahar.com

thinkcentury.net

eskortclub.com

Targets

- Target
  
  5c4dd55a06141f850ddcedb9253ed84c
- Size
  
  757KB
- MD5
  
  5c4dd55a06141f850ddcedb9253ed84c
- SHA1
  
  cf217d41e06f4c35eb00e8ad95bbfcd419a75424
- SHA256
  
  98c9c20fcffa6fe99c0841a33f4a9283552b9393d958818b9b2b610d5467822e
- SHA512
  
  f74078346a44c1902ff2a4bb53ba3cd7dda8a957d8a7ee7033a1739c48f33df363efce6235195dbb46ef3ec4814922bfc08c53750a0300fe1085f7d4d9e33232
Score

10^/10

xloader p2a5 evasion loader rat persistence spyware stealer
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Looks for VirtualBox Guest Additions in registry
  evasion
- Xloader Payload
  rat
- Executes dropped EXE
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderp2a5evasionloaderrat

behavioral2

xloaderp2a5evasionloaderpersistenceratspywarestealer