xloader | a2af55df6445bcc019b1170bc7a58c66eac022e3a7e8b88666b1e81f50697588 | Triage

Sharing

General

Target

a2af55df6445bcc019b1170bc7a58c66eac022e3a7e8b88666b1e81f50697588
Size

1.0MB
Sample

220706-kdzz8aafcj
MD5

195897320c3f7ded2d7db9a1a11b39be
SHA1

0c79b45bf75ec3a2a74e8dbeb6ff8f61349aa62f
SHA256

a2af55df6445bcc019b1170bc7a58c66eac022e3a7e8b88666b1e81f50697588
SHA512

6487e5536dcdc863a2a40823bbb1a2ec2034813c2aeb6a2bf3a39ce3bdeb5415aa077ea7d4146cf215ad097373f1c1d45e2e8449384033e3df8b81995cf890f6

Score

10^/10

xloader n5mz loader persistence rat spyware stealer suricata

Malware Config

Extracted

Family

xloader

Version

2.7

Campaign

n5mz

Decoy

ezhuilike.com

broomstickrum.com

ramaniclothing.com

midbots.com

rlxscpe.com

elanagro.online

chahuajie.com

digipubcity.com

predatorstoppers.com

savas-jewelry.com

timinis23.com

homesteaddesignstudio.net

bellezadehoy.online

disintar.xyz

sharinks.tech

redfoxdetroit.com

resscoptheron.com

aspiritualgiftshoppe.com

tematemazo.com

assasa.net

Targets

- Target
  
  a2af55df6445bcc019b1170bc7a58c66eac022e3a7e8b88666b1e81f50697588
- Size
  
  1.0MB
- MD5
  
  195897320c3f7ded2d7db9a1a11b39be
- SHA1
  
  0c79b45bf75ec3a2a74e8dbeb6ff8f61349aa62f
- SHA256
  
  a2af55df6445bcc019b1170bc7a58c66eac022e3a7e8b88666b1e81f50697588
- SHA512
  
  6487e5536dcdc863a2a40823bbb1a2ec2034813c2aeb6a2bf3a39ce3bdeb5415aa077ea7d4146cf215ad097373f1c1d45e2e8449384033e3df8b81995cf890f6
Score

10^/10

xloader n5mz loader persistence rat spyware stealer suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Xloader Payload
  rat
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloadern5mzloaderpersistenceratspywarestealersuricata