xloader

General

Target

50923a92a0821cd466d83edd5a152fd0_JaffaCakes118
Size

510KB
Sample

240716-3q6mmsyeqe
MD5

50923a92a0821cd466d83edd5a152fd0
SHA1

4eb57f30a70125e2618a41917d7a8e5db743e0b5
SHA256

a1dc18b320d5f906df53dcc7a4d4e547b2ad6707e9484eafb3c8a8855c98a9b0
SHA512

5afa550a87dd5c28bf5140a573f7e87bceaf29325d5fe0a610fb60972887ffa5f904b2fd4b7834daa5e6b556fb7d72d51c4b6472827ae1b60ef6efaabb4e47f7
SSDEEP

12288:VEFBR/Li3r6WxoSIsJTZm08y5hmEfEMW52on0zi8luJ:VufKJcy5o52w8IJ

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

mt6e

Decoy

morozolga.com

selimtokdemir.com

deluxeweldingsupply.com

allannateddyrose.com

iconsneakersfr.com

vicenteconchilla.com

themediatenow.com

finishmybasemint.com

blaseskincare.com

betwho.site

madewithrealmeat.com

scratchpatchinc.com

daysad.com

kraftwater.com

prolifictrades.com

usdtmgm.com

mooneworms.com

grandspecialiste.com

mirzaassociates.com

bilaltahirofficial.com

Targets

- Target
  
  IMG_501327.exe
- Size
  
  462KB
- MD5
  
  1f11cb76d8f9643820a756448b4b3a0e
- SHA1
  
  c00db72ff5681b1f26db430a71b35dcfe3978d1c
- SHA256
  
  aaf1000d1f4822bb6e7424123c807a333a8696783ab029b49df8250b115c27ae
- SHA512
  
  2e1c2c46233b1a995e234ff7dd5a876a2230e06dc5ee6da3fdd3a890ce2f43bb57e0faee14c3094c80d99f435d42b7e13c845d885f82c2b2d31961cc1db2b3cc
- SSDEEP
  
  12288:pFda+FdagEMYLZsUN8dgHgY8RfuydvDZ0da7Af:bEMfrdc8Zhdd
Score

10^/10

xloader mt6e execution loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Beds Protector Packer
  Detects Beds Protector packer used to load .NET malware.
- Xloader payload
  rat
- Deletes itself
- Drops startup file
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Beds Protector Packer

Xloader payload

Deletes itself

Drops startup file

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2