xloader

General

Target

5b1975c8163b6008cd7aaf687aff39c9
Size

331KB
Sample

220627-qt4k8sbehn
MD5

5b1975c8163b6008cd7aaf687aff39c9
SHA1

aa9f79814a3f91c29db5d11578ca3ac486f610a6
SHA256

11de51fb9d41c57a868af00459427ccead79297124441502b1e03e6f6d43e932
SHA512

549ac0c6f354eb078d0951f753c1487cd56d4c27cdb1765d643ad1fc9065f4a675d2e045fba909e20362ad303d1b72124193b95b2e5859adc17ac7f2f23a9b9c

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

nn40

Decoy

LYAg0yANOGEAGeaFOrA/

MQWuERZplP+VZy/uszI=

CF0oDN0JimIaGy/uszI=

ltJnyC+ReohYaiTvj1qbEA==

B9OkgdctVKBAFjSUaw==

sbDVwSZVVqVB11/deow8GA==

v1gHDe0pzno=

i+/0n2vHUfGPR98k77tukZ90MQ==

SUtCnbS96Qm21g==

8X9qzyt1dpAo31jXrXfKb49fBPY=

5KlPxqHzSstuFjSUaw==

0r/Kesv/zuanroxvNQW0Gm8=

FFgS7kfPYAqpdhhgRgnBJHY=

LgusAHrkrIoWr0FWIe2o/04UXPw=

vBq9Gvxa9wbKbS/uszI=

Z+q6HAZNNeqwwQ==

wbS4fMb06SjU5Kbseow8GA==

1mZEuZvJ/m0L9bof56PkkZ90MQ==

JCJIM74lHk/o+tiFOrA/

d14FrM8rGEgIzVkT67+3XaEh

Targets

- Target
  
  FACTURA.xlsx
- Size
  
  80KB
- MD5
  
  54471ddd206fafeba1c73948f48ef258
- SHA1
  
  2f59811f4afcef21b532358025d5a355387530d4
- SHA256
  
  16ea528e9912bfca30351fb41ecd54eceab33f52d011c9b68f34d122c71980ec
- SHA512
  
  c7420e2b986cc61dba7b2e94394616f258a099b297dd3148f216e20d580801415b29bace9af178561a80d9c4bb38e5c421fce471c5ee54adc91b6c868775166b
Score

10^/10

xloader nn40 loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  PREUVE DE TRANSFERT.xlsx
- Size
  
  80KB
- MD5
  
  54471ddd206fafeba1c73948f48ef258
- SHA1
  
  2f59811f4afcef21b532358025d5a355387530d4
- SHA256
  
  16ea528e9912bfca30351fb41ecd54eceab33f52d011c9b68f34d122c71980ec
- SHA512
  
  c7420e2b986cc61dba7b2e94394616f258a099b297dd3148f216e20d580801415b29bace9af178561a80d9c4bb38e5c421fce471c5ee54adc91b6c868775166b
Score

10^/10

xloader nn40 loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral3 behavioral4