xloader

General

Target

f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118
Size

760KB
Sample

240418-avp68scg29
MD5

f6e864629bc2117fb5cc3da3e33d6483
SHA1

57ce16786eb6a4c49cfc6c794d012187a1ab7eaf
SHA256

050249009735072542f00c432d35a71de4516aaee6fe7d5bfac1c8cda838e1f1
SHA512

aba973473ba7dd58e7aa25a8ab17390f90b5aca627771b5cb1fe3d3cb0f88c5ff936dfbba7b1a71bd798ce68e3e3adfbdc2fc9e7eed2434150c6f377795a0730
SSDEEP

12288:yuHHfYnbiuj4BiEOyHpBvygTUxiAuG0fEXj8l2hh/khmwizg:yunfYnbiuj40+pBvygA8WzC2hlRwl

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

nwru

Decoy

zjkhyo.com

mogreener.com

galanpresente.com

anthologistliving.com

jfl-info.net

cascobaycuttlerly.com

nefertityeg.com

greatescapefurniture.com

primulashop.com

xn--cittinrete-k4a.com

drugstoire.com

kefaloniabride.com

viralgenstudents.com

makerwl.com

rubyweed.com

badenio.com

smartcontracttraders.com

lcscards-veilig.icu

qf553.com

dnhsxm.com

Targets

- Target
  
  f6e864629bc2117fb5cc3da3e33d6483_JaffaCakes118
- Size
  
  760KB
- MD5
  
  f6e864629bc2117fb5cc3da3e33d6483
- SHA1
  
  57ce16786eb6a4c49cfc6c794d012187a1ab7eaf
- SHA256
  
  050249009735072542f00c432d35a71de4516aaee6fe7d5bfac1c8cda838e1f1
- SHA512
  
  aba973473ba7dd58e7aa25a8ab17390f90b5aca627771b5cb1fe3d3cb0f88c5ff936dfbba7b1a71bd798ce68e3e3adfbdc2fc9e7eed2434150c6f377795a0730
- SSDEEP
  
  12288:yuHHfYnbiuj4BiEOyHpBvygTUxiAuG0fEXj8l2hh/khmwizg:yunfYnbiuj40+pBvygA8WzC2hlRwl
Score

10^/10

xloader nwru agilenet loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader payload

Obfuscated with Agile.Net obfuscator

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2