xloader | 33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59 | Triage

Submit
Reports

Overview

overview

Static

static

tmp.exe

windows7_x64

tmp.exe

windows10-2004_x64

Sharing

General

Target

tmp
Size

510KB
Sample

220628-gqyfdahcb9
MD5

ed110000e4a38ea4c524a777c0b28a38
SHA1

a82ea598a09bf51269131363d2ca1120e45c92aa
SHA256

33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59
SHA512

b771cae1b0e7a25d58dbbdb60a86d39bed08d6c0f97d18b928cb1179dba6911f494b4cec853d169d3113f2a7afa1c3ac45e6fb74f6c6a1fa73978b9209c0de4e

Score

10^/10

xloader wfc6 loader rat spyware stealer suricata

Static task

static1

Behavioral task

behavioral1

Sample

tmp.exe

Resource

win7-20220414-en

xloader wfc6 loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

tmp.exe

Resource

win10v2004-20220414-en

xloader wfc6 loader rat spyware stealer suricata

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

wfc6

Decoy

FPF0BDtsP/0Z3N3EpIfSsQ==

wZbFgKkm5jUpFbB+GQ==

I/oJ0Jcb+eoMqQ==

w7zarxxnPcIgupA=

63SbUimyWalvjfJdRb9U

igCt44uCBYeAugeiTMZW

ZHJ4C8BlAvVDAIRo

XJUEKbSv5SVkKdCoWvkuKiQ=

TDPHixX7VMIgupA=

Xt5NdBkHqXeYgHtS6Lik7Sw=

rJKZiOi3mIr7iH5dEQ==

wbheFmd7+XMkt7KALN8A2NcT+npeUP+g

xqk06+lXAT3bemE847ik7Sw=

YS7SndCMWuCAFbB+GQ==

tJ4lxa1kPUfSZ4UiujZGLCQ=

j8gSmNPGzqe6

iQORUvIx0N1glkfomjmZCzmGPbKE/A==

dlD3cvHVcUBqgNrHpIfSsQ==

Sk9cCV2WvRkavg==

70RVeKQWsgOZMyf+0g0zKyM=

ohA2+Np+OXsEkI9kEcH18SFl14w=

ST7zr+vrjluKY0044qtjpaActyK9

CXijyOBe299npm3+ozM=

tphA7dOGMwEL+E4g/LbEqA==

wZY0YPg56DPTpVAowDs=

lGgNzOJX9yWTNZJx

IukdRenq0udDAIRo

/v2eVZ/MuMJDdtCjO7pJmVRGDftzvas62w==

feXz+6MdJRoTzIc=

X1gMxLgjzQqpQh37n0qlSXq5

bvYhjGIj+eoMqQ==

JnygzOBS4RoTzIc=

aE5SgJwPjJMaX+LFadoOYaArpJmB9ps=

ZVoMNsGzYh4uFbB+GQ==

Y/h4es8mfMIgupA=

5LY/YvHhvRkavg==

X9jXctO6Rd0BHIRTCp9Asnl/h7heUP+g

d9naXx+nRMIgupA=

ZEbgr2pZMCg5Kphx

8Fhj8rA21BCbyA6tjcV5uQ==

mZAZqt/JZStIYMZdRb9U

VU1PAFiTvRkavg==

d8b+wmHKSk3UFZ5zCY95/DM=

mJKsYw+CInX2XW3+ozM=

nOcOwY8W+eoMqQ==

4tyXN3eC9m8RnZFiC7v38SFl14w=

CYB9GOdpC1YDULZdRb9U

vCtZAF6ROnP6g4JS47ik7Sw=

qn4l0rBZCNb49n1A4rik7Sw=

8jY5Oo2TMPEYScRdRb9U

uLhFDueWOXGt

cPqn2X1t8bDiAHBC4FelSXq5

RC5DCM9m6vyHvkgZtU01q04hqs5v8A==

Lg22bRP9zNJG30QOwll3qyFl14w=

9PLzES2aQZcTfVoz4bik7Sw=

LaLYmAfLUFr4ULpdRb9U

+3D9DY7joOWGGQTqmkqlSXq5

v4VAbfsSO/JDAIRo

Pkbwmo1bGvRDAIRo

bMTnAuajbyg18OfCpIfSsQ==

XqzQnn/+pQGhCdu2YRRQoCFl14w=

aWd4kIAzHy2TNZJx

mY5/lIo95Zu4Y0rXud+C8TU=

8AAvYXM4BuUB5D0q/LbEqA==

ssdunlimited.com

Targets

- Target
  
  tmp
- Size
  
  510KB
- MD5
  
  ed110000e4a38ea4c524a777c0b28a38
- SHA1
  
  a82ea598a09bf51269131363d2ca1120e45c92aa
- SHA256
  
  33804adf1254ef1376ce4a0416ff03db837b5bf23a752b8483ffdc1738a5cb59
- SHA512
  
  b771cae1b0e7a25d58dbbdb60a86d39bed08d6c0f97d18b928cb1179dba6911f494b4cec853d169d3113f2a7afa1c3ac45e6fb74f6c6a1fa73978b9209c0de4e
Score

10^/10

xloader wfc6 loader rat suricata spyware stealer
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloaderwfc6loaderratsuricata

behavioral2

xloaderwfc6loaderratspywarestealersuricata

© 2018-2024

Terms | Privacy