xloader | 82d4a5db7563c67d43eab4e320daf91465ecc5080747a98850059bca5e45aec5 | Triage

Submit
Reports

Overview

overview

Static

static

Enquiry..xlsx

windows7_x64

Enquiry..xlsx

windows10-2004_x64

1

Sharing

General

Target

Enquiry..xlsx
Size

80KB
Sample

220621-pea5psddcm
MD5

6eb7cdf78741a76e34fc2a28f6f85653
SHA1

ec7982080385abbc4ff6f4cf13ea1282af241ae2
SHA256

82d4a5db7563c67d43eab4e320daf91465ecc5080747a98850059bca5e45aec5
SHA512

b695c95d95c4146354d329b5043332a200e4cbd3c1b95eded0165f6ad3532b771f01ccc3b265c546d06f8f024305bb3fda232ae9b0593facfb08467f14d1313d

Score

10^/10

xloader nn40 loader rat suricata

Static task

static1

Behavioral task

behavioral1

Sample

Enquiry..xlsx

Resource

win7-20220414-en

xloader nn40 loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Enquiry..xlsx

Resource

win10v2004-20220414-en

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

nn40

Decoy

LYAg0yANOGEAGeaFOrA/

MQWuERZplP+VZy/uszI=

CF0oDN0JimIaGy/uszI=

ltJnyC+ReohYaiTvj1qbEA==

B9OkgdctVKBAFjSUaw==

sbDVwSZVVqVB11/deow8GA==

v1gHDe0pzno=

i+/0n2vHUfGPR98k77tukZ90MQ==

SUtCnbS96Qm21g==

8X9qzyt1dpAo31jXrXfKb49fBPY=

5KlPxqHzSstuFjSUaw==

0r/Kesv/zuanroxvNQW0Gm8=

FFgS7kfPYAqpdhhgRgnBJHY=

LgusAHrkrIoWr0FWIe2o/04UXPw=

vBq9Gvxa9wbKbS/uszI=

Z+q6HAZNNeqwwQ==

wbS4fMb06SjU5Kbseow8GA==

1mZEuZvJ/m0L9bof56PkkZ90MQ==

JCJIM74lHk/o+tiFOrA/

d14FrM8rGEgIzVkT67+3XaEh

OtJqJTaZyD/bgy/uszI=

MMzqpo3pVjbaigine/p4W6dqZPJKkg==

LRS4MpnBeVxC/bqjf0kMBGop69QC

7FTxgWaTLAKbm3B0QgW0Gm8=

hjbYktAyum2JNK6N

WRtxyNlENeqwwQ==

MTOKH+0pzno=

8LkJ8EsWWHIK

zs758oMTaffAxI0bn2uqFw==

ariAXDqMsKpwF5U=

UEZOAmXFnpRh+rqD

T5e5xzlTNeqwwQ==

tp424+UDomI=

Y7VXD+I8CKVuDZQ=

zg6qeGbHO1F+FjSUaw==

JPypEB2CuDAz+bXSrjo=

8ah8cf5odcPNS+Sa

k+CGNhyOMKVuDZQ=

oVviitkD8B7ZmijeyIDFOI9nZPJKkg==

TtztqHfKKqQWuVRvT9fSSpJJmAFYLjw=

p6pvJHfZmJgx6XwYuL56b798MA==

WWmegczy4x2O+cIC27RtkZ90MQ==

/QrLiDyde3RJWRwRmWYo

PtShJAZG1WU6LP3osjo=

ZTrOf2PMho1kdm/JtSU=

A1ssC+pS8dvNS+Sa

K4g38tVda8DNS+Sa

Dz7fj13DnKh1iV8++X2H8Fbeq1jBGh4D

0AjPwNQtnWUEpDBAJbq9GG8p69QC

ALhKrIu7/5BTRf1OQAW0Gm8=

a5Zp3GrGWhzmrBYRmWYo

dwzcQzpnYYAi8G7eypfSS6d3oWmQnQ==

VR3AHfcDyG79m6bm0YnEOEBS/fQ=

pyZFKiWXNaVuDZQ=

dzf0zzBlYaqLFjSUaw==

D6TIj16hJ8JhJMom8rlxkZ90MQ==

8qkyvpp56Qm21g==

4qNmKHymVg3Bx4M=

MOiH6DRYhutyFjSUaw==

JqTDnm+zOQLV+83Ucm9GDw==

YQilIAQqUM5vFjSUaw==

84U/nbvTQwzcyQ==

mC34kB9LdeJuFjSUaw==

DKLKrbwuuWyJNK6N

thisismyhomevalue.com

Targets

- Target
  
  Enquiry..xlsx
- Size
  
  80KB
- MD5
  
  6eb7cdf78741a76e34fc2a28f6f85653
- SHA1
  
  ec7982080385abbc4ff6f4cf13ea1282af241ae2
- SHA256
  
  82d4a5db7563c67d43eab4e320daf91465ecc5080747a98850059bca5e45aec5
- SHA512
  
  b695c95d95c4146354d329b5043332a200e4cbd3c1b95eded0165f6ad3532b771f01ccc3b265c546d06f8f024305bb3fda232ae9b0593facfb08467f14d1313d
Score

10^/10

xloader nn40 loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloadernn40loaderratsuricata

behavioral2

© 2018-2024

Terms | Privacy