xloader | 51861af4be587112d2827d71c2c2c3adddc9e7531aa4bf2850d205be3dc50113 | Triage

Sharing

General

Target

fc5e7180f8df26c39560f18d7e4f17a3_JaffaCakes118
Size

566KB
Sample

240420-km6jcscg89
MD5

fc5e7180f8df26c39560f18d7e4f17a3
SHA1

9d8adf3384edea39294d970f87834ddf55896463
SHA256

51861af4be587112d2827d71c2c2c3adddc9e7531aa4bf2850d205be3dc50113
SHA512

fded849636c297663144d7bf7835064de4c26aa78df666765c686d286508e92a60f085bfc0781b46d98836a728b6b0d1970bfcd7c1acaad13939b9c5c64fff77
SSDEEP

6144:XwnMNVAKl5Y6SZ70111uX5KNYGo0KyDsZuRc4+bLQg+83Me3ae+QzfE:XwCmKlpzuXCzXDUOr8LQg+83MEl+E

Score

10^/10

xloader rca2 loader persistence rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

rca2

Decoy

bapzcosmetics.com

skillsgage.com

mingshiweiye.com

dcc-compliance.com

emprenbook.com

firn.site

haryanaricemil.com

fleetwoodfoods.com

jlnxhbkj.com

surajsanyal.com

jubakey.com

auroraunitedshippingco.com

propolis-surabaya.com

vasinvestments.com

breederschallenge.com

tafcoo.com

417motoringparts.com

livemis.com

drainassist.com

kristenguestart.com

Targets

- Target
  
  fc5e7180f8df26c39560f18d7e4f17a3_JaffaCakes118
- Size
  
  566KB
- MD5
  
  fc5e7180f8df26c39560f18d7e4f17a3
- SHA1
  
  9d8adf3384edea39294d970f87834ddf55896463
- SHA256
  
  51861af4be587112d2827d71c2c2c3adddc9e7531aa4bf2850d205be3dc50113
- SHA512
  
  fded849636c297663144d7bf7835064de4c26aa78df666765c686d286508e92a60f085bfc0781b46d98836a728b6b0d1970bfcd7c1acaad13939b9c5c64fff77
- SSDEEP
  
  6144:XwnMNVAKl5Y6SZ70111uX5KNYGo0KyDsZuRc4+bLQg+83Me3ae+QzfE:XwCmKlpzuXCzXDUOr8LQg+83MEl+E
Score

10^/10

xloader rca2 loader persistence rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xloaderrca2loaderpersistencerat