xloader | e91d88bbb3693136fce60e4208200af50f9855a1d4b4e96d164ba7ef8b1e0bda | Triage

Sharing

General

Target

ef3ee1a764a33632b5cf8d0b10853d8d_JaffaCakes118
Size

1.6MB
Sample

240412-ga8leaah8t
MD5

ef3ee1a764a33632b5cf8d0b10853d8d
SHA1

815dde75d76b1f61ac69cff8edfebed265aa801f
SHA256

e91d88bbb3693136fce60e4208200af50f9855a1d4b4e96d164ba7ef8b1e0bda
SHA512

abdda3497ceaba4b2b8513fa5344fc4aa631858c26f9b32fc7f10d0d2971b935859acd27d54845cc4c11a8fc7a920d9d52ac21194ef05e125fdd09cedc8246f0
SSDEEP

24576:nqLS/d3UYdkb7Mb+8w/qx/YNTSlzPdVsC9+8EUUWbmwRGPoN7vdiTbnFM:NM7Mb+8P/xtUeLEcm/PoiM

Score

10^/10

xloader r58u loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

r58u

Decoy

schmidt-montecarmelo.com

bainrix.com

healtracer.com

thriveclothingclub.com

thedreamforce.computer

cbidhh.icu

btcmart.info

nnghxks75.com

524joshua.com

novarealty.homes

a2amc.com

ebtbedge.com

youmaitiantian.com

bjhszz.com

dwchongzhi.com

getfastpage.com

customerservice-netflix.com

pontiac.today

tved-rnzfr.xyz

flourishingfamilies.today

Targets

- Target
  
  ef3ee1a764a33632b5cf8d0b10853d8d_JaffaCakes118
- Size
  
  1.6MB
- MD5
  
  ef3ee1a764a33632b5cf8d0b10853d8d
- SHA1
  
  815dde75d76b1f61ac69cff8edfebed265aa801f
- SHA256
  
  e91d88bbb3693136fce60e4208200af50f9855a1d4b4e96d164ba7ef8b1e0bda
- SHA512
  
  abdda3497ceaba4b2b8513fa5344fc4aa631858c26f9b32fc7f10d0d2971b935859acd27d54845cc4c11a8fc7a920d9d52ac21194ef05e125fdd09cedc8246f0
- SSDEEP
  
  24576:nqLS/d3UYdkb7Mb+8w/qx/YNTSlzPdVsC9+8EUUWbmwRGPoN7vdiTbnFM:NM7Mb+8P/xtUeLEcm/PoiM
Score

10^/10

xloader r58u loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- CustAttr .NET packer
  Detects CustAttr .NET packer in memory.
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloaderr58uloaderrat

behavioral2

xloaderr58uloaderrat