xloader | c7481ac4056524a4d60818692659188ff784c7f1f5a7333238ed08595a149add | Triage

Submit
Reports

Overview

overview

Static

static

192.3.239....29.rtf

windows7_x64

192.3.239....29.rtf

windows10-2004_x64

1

Sharing

General

Target

192.3.239.22_-_9000_-_document_invoice.doc___553058583012117df3bb047a83ec6129.dat
Size

20KB
Sample

220607-ktd3pacgf6
MD5

553058583012117df3bb047a83ec6129
SHA1

17c62c4a4580d55cac9cdd1ff6e01ea5fd9ef055
SHA256

c7481ac4056524a4d60818692659188ff784c7f1f5a7333238ed08595a149add
SHA512

3b6ac6e1ccca523e1929353dfff426bb93cd2c441a8f2da248637904f8c51f59318537704e915fcfd71bd2fa53b29546002cd7c0d58ff619cbf1928ad577a4c9

Score

10^/10

xloader be4o loader rat suricata

Static task

static1

Behavioral task

behavioral1

Sample

192.3.239.22_-_9000_-_document_invoice.doc___553058583012117df3bb047a83ec6129.rtf

Resource

win7-20220414-en

xloader be4o loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

192.3.239.22_-_9000_-_document_invoice.doc___553058583012117df3bb047a83ec6129.rtf

Resource

win10v2004-20220414-en

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

be4o

Decoy

laboratoriobioixcha.com

tictocperushop.online

wild-oceans.com

belaruscountry.com

kicktmall.com

fitcoinweb.tech

mores.one

gogear.one

gxrcksy.com

samrcq.com

impossible-icecream.com

bravesxx.com

bookchainart.com

sleepsolutionsofmboro.com

ocbrazilbusinessclub.com

advisor76.xyz

xitaotech.com

mgsdtytifgf3414.xyz

johnson-brown.net

cr3drt.com

virtualtourpro.store

transporteriocristal.com

fjbingjiang.com

minecraftrojectx.site

ttrcb.com

sexlarab.com

cxzczc2.online

doorsmm.com

weisbergiegal.com

skythinks.com

schoolsuperaty.com

swampbucketkids.com

networklogicsa.com

businessevs.com

gulfcoastclinicchiro.com

milliards.xyz

moviesquery.com

cycletostack.com

c0wkvo.com

inkingthings.net

cookvillecampgroundvt.com

rajeshprinters.com

binge-bane.biz

ginger9632-voice.cloud

1nfo-post.com

unta.xyz

liuhumu.com

khandaia.info

ha01qnscvts0l.xyz

liert.site

allflowmedia.com

6ibnuj9t.xyz

embravewise.com

responsabilities.com

apexges.com

ola-speechtherapy.com

pristinefarmlands.com

adaraateristiayote.store

journeyhomemeditation.com

96238.top

nosipokip.site

itt-service.com

bw590jumpb.xyz

relieveyourdog.com

qiyeweiiliaoo0428.com

Targets

- Target
  
  192.3.239.22_-_9000_-_document_invoice.doc___553058583012117df3bb047a83ec6129.dat
- Size
  
  20KB
- MD5
  
  553058583012117df3bb047a83ec6129
- SHA1
  
  17c62c4a4580d55cac9cdd1ff6e01ea5fd9ef055
- SHA256
  
  c7481ac4056524a4d60818692659188ff784c7f1f5a7333238ed08595a149add
- SHA512
  
  3b6ac6e1ccca523e1929353dfff426bb93cd2c441a8f2da248637904f8c51f59318537704e915fcfd71bd2fa53b29546002cd7c0d58ff619cbf1928ad577a4c9
Score

10^/10

xloader be4o loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderbe4oloaderratsuricata

behavioral2

© 2018-2024

Terms | Privacy