xloader | b3d596c367aa592bd0ca88890ecba27437f442c4da101206ad62f43072f02cb4 | Triage

Submit
Reports

Overview

overview

Static

static

PO-18009612.xlsx

windows7_x64

PO-18009612.xlsx

windows10-2004_x64

1

Sharing

General

Target

PO-18009612.xlsx
Size

177KB
Sample

220705-rj9vyabhe9
MD5

10ccb0edfaacd25dc4935f5641c823b0
SHA1

17fb136add605e6dbda86b56b412cf05d04996ac
SHA256

b3d596c367aa592bd0ca88890ecba27437f442c4da101206ad62f43072f02cb4
SHA512

696e8847a404dab17d173bc63103ce7d793553fd834bebf60e7845aa45c7b8c4a89082373d57892a757d577784dd24f0dce9397e40be4d935c8434fc6a02131a

Score

10^/10

xloader nn40 loader rat suricata

Static task

static1

Behavioral task

behavioral1

Sample

PO-18009612.xlsx

Resource

win7-20220414-en

xloader nn40 loader rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PO-18009612.xlsx

Resource

win10v2004-20220414-en

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

nn40

Decoy

LYAg0yANOGEAGeaFOrA/

MQWuERZplP+VZy/uszI=

CF0oDN0JimIaGy/uszI=

ltJnyC+ReohYaiTvj1qbEA==

B9OkgdctVKBAFjSUaw==

sbDVwSZVVqVB11/deow8GA==

v1gHDe0pzno=

i+/0n2vHUfGPR98k77tukZ90MQ==

SUtCnbS96Qm21g==

8X9qzyt1dpAo31jXrXfKb49fBPY=

5KlPxqHzSstuFjSUaw==

0r/Kesv/zuanroxvNQW0Gm8=

FFgS7kfPYAqpdhhgRgnBJHY=

LgusAHrkrIoWr0FWIe2o/04UXPw=

vBq9Gvxa9wbKbS/uszI=

Z+q6HAZNNeqwwQ==

wbS4fMb06SjU5Kbseow8GA==

1mZEuZvJ/m0L9bof56PkkZ90MQ==

JCJIM74lHk/o+tiFOrA/

d14FrM8rGEgIzVkT67+3XaEh

OtJqJTaZyD/bgy/uszI=

MMzqpo3pVjbaigine/p4W6dqZPJKkg==

LRS4MpnBeVxC/bqjf0kMBGop69QC

7FTxgWaTLAKbm3B0QgW0Gm8=

hjbYktAyum2JNK6N

WRtxyNlENeqwwQ==

MTOKH+0pzno=

8LkJ8EsWWHIK

zs758oMTaffAxI0bn2uqFw==

ariAXDqMsKpwF5U=

UEZOAmXFnpRh+rqD

T5e5xzlTNeqwwQ==

tp424+UDomI=

Y7VXD+I8CKVuDZQ=

zg6qeGbHO1F+FjSUaw==

JPypEB2CuDAz+bXSrjo=

8ah8cf5odcPNS+Sa

k+CGNhyOMKVuDZQ=

oVviitkD8B7ZmijeyIDFOI9nZPJKkg==

TtztqHfKKqQWuVRvT9fSSpJJmAFYLjw=

p6pvJHfZmJgx6XwYuL56b798MA==

WWmegczy4x2O+cIC27RtkZ90MQ==

/QrLiDyde3RJWRwRmWYo

PtShJAZG1WU6LP3osjo=

ZTrOf2PMho1kdm/JtSU=

A1ssC+pS8dvNS+Sa

K4g38tVda8DNS+Sa

Dz7fj13DnKh1iV8++X2H8Fbeq1jBGh4D

0AjPwNQtnWUEpDBAJbq9GG8p69QC

ALhKrIu7/5BTRf1OQAW0Gm8=

a5Zp3GrGWhzmrBYRmWYo

dwzcQzpnYYAi8G7eypfSS6d3oWmQnQ==

VR3AHfcDyG79m6bm0YnEOEBS/fQ=

pyZFKiWXNaVuDZQ=

dzf0zzBlYaqLFjSUaw==

D6TIj16hJ8JhJMom8rlxkZ90MQ==

8qkyvpp56Qm21g==

4qNmKHymVg3Bx4M=

MOiH6DRYhutyFjSUaw==

JqTDnm+zOQLV+83Ucm9GDw==

YQilIAQqUM5vFjSUaw==

84U/nbvTQwzcyQ==

mC34kB9LdeJuFjSUaw==

DKLKrbwuuWyJNK6N

thisismyhomevalue.com

Targets

- Target
  
  PO-18009612.xlsx
- Size
  
  177KB
- MD5
  
  10ccb0edfaacd25dc4935f5641c823b0
- SHA1
  
  17fb136add605e6dbda86b56b412cf05d04996ac
- SHA256
  
  b3d596c367aa592bd0ca88890ecba27437f442c4da101206ad62f43072f02cb4
- SHA512
  
  696e8847a404dab17d173bc63103ce7d793553fd834bebf60e7845aa45c7b8c4a89082373d57892a757d577784dd24f0dce9397e40be4d935c8434fc6a02131a
Score

10^/10

xloader nn40 loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloadernn40loaderratsuricata

behavioral2

© 2018-2024

Terms | Privacy