xloader | 8ba3166fa29eedff427b62c2d1b05984949a1ac87a34ffa2ab95f4404e96d0e7 | Triage

Sharing

General

Target

vbc.exektfpmhuf
Size

790KB
Sample

220507-e367yabgh9
MD5

14f5bfcb44b9511f2cfac6f29ab55898
SHA1

f8dd1f7ec5259168dc98367c3eaa998f08b41a9d
SHA256

8ba3166fa29eedff427b62c2d1b05984949a1ac87a34ffa2ab95f4404e96d0e7
SHA512

0bd4db6d4f45a58b25445726956876d5546bcf73436b0b7c0411ef3d0e683fd91707551a146e775482399896ea6581caaa3d57d3e966a17a451315dcdf1f3b02

Score

10^/10

xloader arh2 evasion loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

arh2

Decoy

anniversaryalert.com

kinship.space

buabdullagroup.com

ghostprotectionagency.com

scion-go-getter.com

skindeepapp.com

kysp3.xyz

bonitaspringshomesearch.com

bestdeals2022.online

themarketingstinger.com

chengkayouxuan.com

fendoremi.com

j-stra.com

klingelecn.net

deluxecarepro.com

huanbaodg.com

mes-dents-blanches.com

solutionsemissionsimplifiee.com

abedbashir.tech

good-collection.store

Targets

- Target
  
  vbc.exektfpmhuf
- Size
  
  790KB
- MD5
  
  14f5bfcb44b9511f2cfac6f29ab55898
- SHA1
  
  f8dd1f7ec5259168dc98367c3eaa998f08b41a9d
- SHA256
  
  8ba3166fa29eedff427b62c2d1b05984949a1ac87a34ffa2ab95f4404e96d0e7
- SHA512
  
  0bd4db6d4f45a58b25445726956876d5546bcf73436b0b7c0411ef3d0e683fd91707551a146e775482399896ea6581caaa3d57d3e966a17a451315dcdf1f3b02
Score

10^/10

xloader arh2 evasion loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Looks for VirtualBox Guest Additions in registry
  evasion
- Xloader Payload
  rat
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Uses the VBS compiler for execution
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xloaderarh2evasionloaderratsuricata