xloader | d72b2c9f7dc00da9c2933bdd67a59dc0f8923d1478d2b22efc3ab1d52196a5c4 | Triage

Sharing

General

Target

235f4fc0aed323eacf697e1fd5b1aaeb_JaffaCakes118
Size

1.2MB
Sample

240508-f1pesacf9v
MD5

235f4fc0aed323eacf697e1fd5b1aaeb
SHA1

94ff17fe6f766a677b0f26b65e9e808ff7abdbbf
SHA256

d72b2c9f7dc00da9c2933bdd67a59dc0f8923d1478d2b22efc3ab1d52196a5c4
SHA512

d46120b65078d9b8a43bd5e2f9c86d1e00de7964fcf748e711a8fc989ed27055d5b00ec36e17a57d778f37621d767b5aa9459d22c29c454c23cfab477d155492
SSDEEP

6144:fr5KTzUvCH42ZGb9XF1csV2DoT/oENADXgjDxGXMSwGxDUxQTf2ujAhzs7g8LX:z5KEvCH4kGvqfPrDg3kXMitohz38LX

Score

10^/10

xloader d9s8 loader persistence rat spyware stealer

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

d9s8

Decoy

adriaguest.com

connerparty.com

jblmhomestore.net

23works.com

environmentsafetymemphis.com

hqxmf.com

hivepublications.com

keebcat.com

smalltownlawns.com

brasserie-lafayette.com

kq-iot.com

theghostfestival.com

dmhowardstudio.com

nittayabeauty.com

thebardi.com

transcash-pocket-money.com

stick.tips

revolucaomindfulness.com

clicrhonealpes.com

ekcraftmasters.com

Targets

- Target
  
  scn14092020.scr
- Size
  
  380KB
- MD5
  
  f028d6c9991258c5c75e9f234d4dee79
- SHA1
  
  2f6b7f76bb4a3342f3450e1cc9ef539c2028c59e
- SHA256
  
  576f0ed5ae69ececc1bb11492479101c0281af46cb86a73eae9195376ab02717
- SHA512
  
  d3fd7200dad40ce073d477205abf7736e9aa9aab492fec1f42c318f65c2a9e132ab45d6b9c52fa3d7c535db63c392d370e2ee2b4787845c4f5f5408ba352f8be
- SSDEEP
  
  6144:Jr5KTzUvCH42ZGb9XF1csV2DoT/oENADXgjDxGXMSwGxDUxQTf2ujAhzs7g8LX9:Z5KEvCH4kGvqfPrDg3kXMitohz38LX9
Score

10^/10

xloader d9s8 loader rat persistence spyware stealer
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloaderd9s8loaderrat

behavioral2

xloaderd9s8loaderpersistenceratspywarestealer