xloader | 01c9ef989594dd752b02d280530c117f0c744c18fe3351a9ef24e0a6b44c3191 | Triage

Sharing

General

Target

01c9ef989594dd752b02d280530c117f0c744c18fe3351a9ef24e0a6b44c3191
Size

407KB
Sample

220521-a7x3lsedhn
MD5

664c9c6579b65a2c163c01689620599c
SHA1

bc88ce965ce15cafb5914b90918ab339bd96dbc3
SHA256

01c9ef989594dd752b02d280530c117f0c744c18fe3351a9ef24e0a6b44c3191
SHA512

13f6303b3129c1ca678a0131720bbae31c91444451a86abbb8cecde79103738357ade8a30c228d721b85e3ad84f05a39367493b7a106ad464246d6a0c40712e5

Score

10^/10

xloader b6fg evasion loader persistence rat suricata

Malware Config

Extracted

Family

xloader

Version

2.0

Campaign

b6fg

Decoy

multlockmt5.com

mohajrannoor.com

robynhoodofretail.info

belinv.com

hotellasab.com

kibrismosad.com

xn--fxwm39aeb590h.xn--io0a7i

resetbrasil.com

tcsonhvac.com

theresav.net

bohoqi.info

machinafuturae.com

mambavault.com

xn--980am9a.top

yumiang.com

evntmonitor.com

83003kk.com

triterm.com

8800pe.com

silvanstudio.com

Targets

- Target
  
  PO0932083943974.exe
- Size
  
  628KB
- MD5
  
  42e8fda0885f8ce54deaabab4d25f775
- SHA1
  
  f1173fbe2ddf0b031f4ee189e7448e0d13084595
- SHA256
  
  a0086dfee2dba4d6a0adab05e848cfbb9755f68be7adef3ff35ff9740e5a1c2e
- SHA512
  
  015521a434a05f8fcff947f1dc7bcebf1f1ad9d70dc44612ebed84dfd6de3af96ddf0439a994d0bd16e9e07dc888af20389b606824e700c2557ce95f0c802516
Score

10^/10

xloader b6fg evasion loader persistence rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Looks for VirtualBox Guest Additions in registry
  evasion
- Xloader Payload
  rat
- Adds policy Run key to start application
  persistence
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Uses the VBS compiler for execution
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderb6fgevasionloaderpersistenceratsuricata

behavioral2