xloader

General

Target

4577189451956224.zip
Size

1KB
Sample

220325-wxcjtafhdm
MD5

18b981c265d4b9d70b4cfe0a82343b22
SHA1

64ac2201ca31ef29017891cfa1a4264ebd88cd4b
SHA256

2cc20535a34a0776e35b4842fe88e6e7475f67ae8bc3a5abb7545fb675bc43a5
SHA512

4826544a03f66be3e35b35a5ba0ae69411a74efc4015320b840c03ae08bc8ebdd2ff8b84a584b860dd26a81d148d7b274cf843008357386dee9bb6d50e69012d

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://transfer.sh/get/9GqmOG/jramooooss.ps1

Extracted

Family

xloader

Version

2.5

Campaign

be4o

Decoy

neonewway.club

kuanghong.club

7bkj.com

ooo-club.com

kamchatka-agency.com

sjsndtvitzru.mobi

noireimpactcollective.net

justbe-event.com

easypeasy.community

southcoast.glass

janhenningsen.com

jmxyjj.com

tarihibilet.com

nagradi7.com

percentrostered.net

certvaxid.com

kingseafoodsydney.com

blacksheepwalk.com

waktuk.com

inteligenciaenrefrigeracion.com

Targets

- Target
  
  976e459097d02ba60e08c872cd4e997b8ffde163a3bd7bb4abef17d455b62ed8
- Size
  
  54KB
- MD5
  
  49e864fe28310b2adc782a975aaa5b67
- SHA1
  
  82a9e71eccabf7675a333b9f4fdc99a85634bfbc
- SHA256
  
  976e459097d02ba60e08c872cd4e997b8ffde163a3bd7bb4abef17d455b62ed8
- SHA512
  
  381a1f47fe57a996fbaa56ee1b43b8260f7d3bbc9346be68114fe7977b283d0aa2d340291745d2683ca45a0e3232efbe644a5539f3756c28b24ba36cf63857ad
Score

3^/10
behavioral1 behavioral2
- Target
  
  Revised Invoice #03252022.vbs
- Size
  
  636B
- MD5
  
  e0e7f44f32d0b3dabb08bd61a3b81f6a
- SHA1
  
  3b5d3334936280cee7be949a7712669300502377
- SHA256
  
  db00c50095732ed84821f321b813546431f298525fea8dbd1a4545c3abfa1fe1
- SHA512
  
  78baf7107944bc1cc371f058f73a2ecd1f601b3401d10774440cfcbcc767549bb43143c261422e7bd2e3f345a5ebb99acda70ca1a2033ccbcd08ef86edff8bf1
Score

10^/10

xloader be4o loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Suspected Jupyter Stealer Related Activity (GET)
  suricata: ET MALWARE Suspected Jupyter Stealer Related Activity (GET)
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE Suspected Jupyter Stealer Related Activity (GET)

Xloader Payload

Blocklisted process makes network request

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4