xloader | 36dabaa854dac855255b08b096a1fb6cee39f910dfbd2101812a0c5d33b1a983 | Triage

Submit
Reports

Overview

overview

Static

static

3

8e6b004fb9...18.exe

windows7-x64

8e6b004fb9...18.exe

windows10-2004-x64

Sharing

General

Target

8e6b004fb91c81b531eb93c36fb0544c_JaffaCakes118
Size

454KB
Sample

240812-mplyva1frh
MD5

8e6b004fb91c81b531eb93c36fb0544c
SHA1

ac34c999e62735c6c117507e0fe97dbe0ff30974
SHA256

36dabaa854dac855255b08b096a1fb6cee39f910dfbd2101812a0c5d33b1a983
SHA512

f5c68042a19510f01f67b574d4a0e225e0c7d311571298ecd374f40de2aac6aa95a94a1f32dcc980ed4f1091904747724750d2544b2184451336abbe9a62fb12
SSDEEP

12288:kJCnJC/EMYLysUN8d5k/PrNZIec8NlgTHYDZ0dtN:hc/EMwrd5QPRZLPlgsd

Score

10^/10

xloader mt6e discovery execution loader rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

8e6b004fb91c81b531eb93c36fb0544c_JaffaCakes118.exe

Resource

win7-20240708-en

xloader mt6e discovery execution loader rat

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

8e6b004fb91c81b531eb93c36fb0544c_JaffaCakes118.exe

Resource

win10v2004-20240802-en

xloader mt6e discovery execution loader rat

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

mt6e

Decoy

morozolga.com

selimtokdemir.com

deluxeweldingsupply.com

allannateddyrose.com

iconsneakersfr.com

vicenteconchilla.com

themediatenow.com

finishmybasemint.com

blaseskincare.com

betwho.site

madewithrealmeat.com

scratchpatchinc.com

daysad.com

kraftwater.com

prolifictrades.com

usdtmgm.com

mooneworms.com

grandspecialiste.com

mirzaassociates.com

bilaltahirofficial.com

covid19overwatch.com

thelastco.com

hansenholdings.net

byjerrywilliams.com

arabgril.com

bowedpink.com

five-minute-diary.com

shop-moonandlola.com

shareboard.net

shopstuckonyou.com

streamthechurch.com

m1stkissmanga.com

cornialera.com

mobilesolutionservice.com

praying.today

thetastybears.com

thegreenlittlebuddha.com

thegiftsofanxiety.com

unmined.win

ikescakes.com

loveandhairstudio.com

okaidoku-shop.net

mcconstruction.company

anerdychristmas.com

avmelihcelik.com

therockremodelinghome.com

moment.email

fusimachallenge.com

comriv.com

lonestarcamaro.com

thetrainertailor.com

solaytech.com

didiami.com

prcfilms.com

emergesorted.com

360marketing.guru

contex3.info

gpjlqwnd.icu

mercedesbenz-jakarta.com

360holdingsbh.com

journey-broadway.com

buyers-connection.com

sufferer-unimpressible.com

hollyspringsedfoundation.com

unicom-group.com

Targets

- Target
  
  8e6b004fb91c81b531eb93c36fb0544c_JaffaCakes118
- Size
  
  454KB
- MD5
  
  8e6b004fb91c81b531eb93c36fb0544c
- SHA1
  
  ac34c999e62735c6c117507e0fe97dbe0ff30974
- SHA256
  
  36dabaa854dac855255b08b096a1fb6cee39f910dfbd2101812a0c5d33b1a983
- SHA512
  
  f5c68042a19510f01f67b574d4a0e225e0c7d311571298ecd374f40de2aac6aa95a94a1f32dcc980ed4f1091904747724750d2544b2184451336abbe9a62fb12
- SSDEEP
  
  12288:kJCnJC/EMYLysUN8d5k/PrNZIec8NlgTHYDZ0dtN:hc/EMwrd5QPRZLPlgsd
Score

10^/10

xloader mt6e discovery execution loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Beds Protector Packer
  Detects Beds Protector packer used to load .NET malware.
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloadermt6ediscoveryexecutionloaderrat

behavioral2

xloadermt6ediscoveryexecutionloaderrat

© 2018-2024

Terms | Privacy