xloader | c293d4d9e720d02c39bdf666a07c503afd2fa0a2999b4ac75fe652f0723a7f8f | Triage

Sharing

General

Target

c293d4d9e720d02c39bdf666a07c503afd2fa0a2999b4ac75fe652f0723a7f8f
Size

1.7MB
Sample

221125-j71ceadd27
MD5

6e3ddfb05767bf1e938606b00441da04
SHA1

4ab7fbc73f04b823a3f3f474a6cb7ca52d79b254
SHA256

c293d4d9e720d02c39bdf666a07c503afd2fa0a2999b4ac75fe652f0723a7f8f
SHA512

e2d132c680b68ac1222b1e71e0c5f40b62a0e4499ab35c1b248f0c28b27183d2b93351593900a612b854c2bb885722845ff4cfe24fa8e99a261f3eeea5c192ae
SSDEEP

3072:iPKCblLCdC1TcIFr33QxB4KU5YGdOr/82fKcejIXWrNo3aVQ:A

Score

10^/10

xloader csv8 evasion loader persistence rat trojan

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

csv8

Decoy

slgacha.com

oohdough.com

6983ylc.com

aykassociate.com

latin-hotspot.com

starrockindia.com

beamsubway.com

queensboutique1000.com

madbaddie.com

bhoomimart.com

ankitparivar.com

aldanasanchezmx.com

citest1597669833.com

cristianofreitas.com

myplantus.com

counterfeitmilk.com

8xf39.com

pregnantwomens.com

yyyut6.com

stnanguo.com

Targets

- Target
  
  c293d4d9e720d02c39bdf666a07c503afd2fa0a2999b4ac75fe652f0723a7f8f
- Size
  
  1.7MB
- MD5
  
  6e3ddfb05767bf1e938606b00441da04
- SHA1
  
  4ab7fbc73f04b823a3f3f474a6cb7ca52d79b254
- SHA256
  
  c293d4d9e720d02c39bdf666a07c503afd2fa0a2999b4ac75fe652f0723a7f8f
- SHA512
  
  e2d132c680b68ac1222b1e71e0c5f40b62a0e4499ab35c1b248f0c28b27183d2b93351593900a612b854c2bb885722845ff4cfe24fa8e99a261f3eeea5c192ae
- SSDEEP
  
  3072:iPKCblLCdC1TcIFr33QxB4KU5YGdOr/82fKcejIXWrNo3aVQ:A
Score

10^/10

evasion persistence trojan xloader csv8 loader rat
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistencetrojan

behavioral2

xloadercsv8evasionloaderpersistencerattrojan