xloader | 85847874aea834ab30ef9519bb57416585e6caadf49ce78051092948c29626e4 | Triage

Submit
Reports

Overview

overview

Static

static

Purchase_order.docx

windows7_x64

Purchase_order.docx

windows10-2004_x64

1

Sharing

General

Target

Purchase_order.docx
Size

10KB
Sample

220713-lv22kscffq
MD5

3083d2eaf85e76380da9c9b0509f163d
SHA1

62c8d8d9af1901d41b7562bc5adc4edd2b1c3cf0
SHA256

85847874aea834ab30ef9519bb57416585e6caadf49ce78051092948c29626e4
SHA512

4ddfc682b43361ea7d1c167519947e3a209c6a89b8f42028df3e593b5c305d11427f1bf92ece7bb1f0729537a90103a72702c049df1ace6e340d67e5b2da66bf

Score

10^/10

xloader v4qp loader persistence rat suricata websettings

Static task

static1

Behavioral task

behavioral1

Sample

Purchase_order.docx

Resource

win7-20220414-en

xloader v4qp loader persistence rat suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Purchase_order.docx

Resource

win10v2004-20220414-en

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

https://9link.net/mnKtu

Extracted

Family

xloader

Version

2.9

Campaign

v4qp

Decoy

je1XQKU1LfJPVLk=

nvf41a7FsTLs6uB/g+CR

U7mryF6DctZn6GEjr9Bm4g==

1SONGrPdh7wGEOXp3g==

2xX859r7qOFq7GYkr9Bm4g==

IYtzVUx0Oo0HmZawLQAARDvBf4dL

NH3iuBPNSzZTvpw/4KaG

rDehfiqIPbdMBS8G1g==

xhb2uJ0eBwo7k3djqxh60xoNt4VoeQ==

AFtKux3JgPGRkx3xUsciR6piSg==

m+3VoJadWcBvOAPpzKUNPoAxyplS

1DWKULdka3mxIKhEqGxQr7gxyplS

DGlFGBqWi5CtrCX9alyTuPzq

muvVM4slyTfxORwAZisVksCM78aSEVo=

D3biNgUbyg9E5pl+

/+1QLPssvl/Xxg==

I4lzTjaAcc1iBS8G1g==

wSwc4MmbShojhlZCrniTuPzq

jN5YO6ZXSfJPVLk=

4TUS4+ANuqHCRTM9sniTuPzq

7Ssfd9ru/HPzWMZ42Z+E

TJl+UkzTsY6g86lyegOU3gw=

0juvfNqRgmJwwpc/4KaG

WJuGVDdhQj1Ux5s/4KaG

FHdjPTRtZc1rPwr8zUQfXogxyplS

1yUI9+gAwMPuYMWALzWc+w==

CW1UNSZVQKAlmQep/XYDYGot8HZX30M=

vRqFbt1zJfH304GOeAOU3gw=

P5CIQS65moOingakeAOU3gw=

d9dBqqBI+vgR0Q==

1zElifgR7DjBQhEgnWqTuPzq

Z60BYmHr5eHr4qiedQOU3gw=

HWU4MRo7NYMKvenJppIKPWxeSQ==

e3BN71BTWfJPVLk=

wy7WdMhKC6ZIBS8G1g==

XquYfmaLfMtjMdvi0UJCve3YPQ9/3VBp

KZGA1zHJgWB5XAUCtW5auQQ=

xiMia8hyQfJPVLk=

fs3InobYUU1v

g/FWtqk8QVV2fvykeAOU3gw=

Gk0rieTkzD/cYMxmtQij4wb9

sQ92QpZSTOWOi15IKJWeEYMaENE=

DmfkxD7hjeFXBS8G1g==

AF/WMxGNm+1qwhvu59Ziy96hOpN/3VBp

mPxzMqdFvl/Xxg==

wbYTecjCf2dE5pl+

bM22jGRvLWbm3dd/g+CR

3T4iifwiBwdGDun0r9Bm4g==

hd/Zp4qeQhkDA7I+sXVavwQ=

Y6UNZTVzVVVE5pl+

4V68Jxr1n3hpa/igeQOU3gw=

oxRu5bztvl/Xxg==

IoXeT3nFp316WK0=

LSJ+4y5JmmIN3w==

svtsPL5PAtT1ZVBKmNxkR6piSg==

Tqv+1CqslWNp1Z1v4rzl6xM=

nOjWOqSkigqvKn8jr9Bm4g==

5vNHav9pXUs=

51u5hOzjug9E5pl+

BV3fNCavl2Z69CjsSAHGFiPi

Pov+YD5zJgUUinyAxxhVrb6W7saSEVo=

sfvz0cLqvl/Xxg==

MZ0a3y3CnzpW1DsSU01xouShpVtF

ogaE4dJvYFB76MzDJpoQR6piSg==

erilb.com

Targets

- Target
  
  Purchase_order.docx
- Size
  
  10KB
- MD5
  
  3083d2eaf85e76380da9c9b0509f163d
- SHA1
  
  62c8d8d9af1901d41b7562bc5adc4edd2b1c3cf0
- SHA256
  
  85847874aea834ab30ef9519bb57416585e6caadf49ce78051092948c29626e4
- SHA512
  
  4ddfc682b43361ea7d1c167519947e3a209c6a89b8f42028df3e593b5c305d11427f1bf92ece7bb1f0729537a90103a72702c049df1ace6e340d67e5b2da66bf
Score

10^/10

xloader v4qp loader persistence rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader payload
  rat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Abuses OpenXML format to download file from external location
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xloaderv4qploaderpersistenceratsuricata

behavioral2

© 2018-2024

Terms | Privacy