xloader | bffc9c0c74952c439ca980be37a1f1e21c182b13c992f1a345a541413bfea91a | Triage

Sharing

General

Target

74bd3fc0782c84d45e5659a378f9dc01JaffaCakes118
Size

408KB
Sample

240531-dq6vzaec82
MD5

74bd3fc0782c84d45e5659a378f9dc01
SHA1

e905675d92d1ee0d278796af59827b1231cc9d34
SHA256

bffc9c0c74952c439ca980be37a1f1e21c182b13c992f1a345a541413bfea91a
SHA512

0da4491c4558970de3f13a85769d73354b2b369031fd3bfee2c8d3a393c814a005f6f2a3e32edf4d5c563dfaf0b3fdb1c49006ec51c2bd673bb814517dba7e80
SSDEEP

6144:LHAgbCa8sGQTpS1KzolRLNYXkw7W1ZA4s9m8HTVZ:LHX8kT8KznXkBskUTVZ

Score

10^/10

xloader u4xn loader persistence rat

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

u4xn

Decoy

yanghl.com

decorvea.online

xn--fjq92bw28b1tloj5a39d42h.com

yumler.info

laketravisautosales.net

zjnrgx.info

harrimanpm.com

dell-yh.com

eze.fitness

pritpritzoom.com

hackgarage.com

mydomterry.net

castrotom.com

coffeecosplay.com

wsfg-hk.com

crystalbeachstudio.com

bestofreadbook.win

sutasz.info

yunfengyue.com

h11011.com

Targets

- Target
  
  74bd3fc0782c84d45e5659a378f9dc01JaffaCakes118
- Size
  
  408KB
- MD5
  
  74bd3fc0782c84d45e5659a378f9dc01
- SHA1
  
  e905675d92d1ee0d278796af59827b1231cc9d34
- SHA256
  
  bffc9c0c74952c439ca980be37a1f1e21c182b13c992f1a345a541413bfea91a
- SHA512
  
  0da4491c4558970de3f13a85769d73354b2b369031fd3bfee2c8d3a393c814a005f6f2a3e32edf4d5c563dfaf0b3fdb1c49006ec51c2bd673bb814517dba7e80
- SSDEEP
  
  6144:LHAgbCa8sGQTpS1KzolRLNYXkw7W1ZA4s9m8HTVZ:LHX8kT8KznXkBskUTVZ
Score

10^/10

xloader u4xn loader persistence rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloaderu4xnloaderpersistencerat

behavioral2

xloaderu4xnloaderpersistencerat