xloader | d078365fc33b9ac081aede979d359a79071901306c49cc71865a804c72346d70 | Triage

Sharing

General

Target

d078365fc33b9ac081aede979d359a79071901306c49cc71865a804c72346d70
Size

323KB
Sample

240901-a123zsvfmf
MD5

bdfa6f648f6b319c38e457c5ae00c9f6
SHA1

29823306c64b7a24f93dac9e5c2a5af77d3cc2e3
SHA256

d078365fc33b9ac081aede979d359a79071901306c49cc71865a804c72346d70
SHA512

3a8cf77538bf10a94c0196f820315482f281a0d43830303908dd75de8197ac55a48783b8c392bfe259dad2509128a2ec779d4d74b9dfb9696113a08d570a7597
SSDEEP

6144:JMxSHnCK8O+hNd4PGxSy0A2sqI1Yp77n9FGTGM3OHsMzNEI8EqlT+uJUCulCEeSf:9HCi+hkP4l2TI1YJr9JZMfI8E4WCuIEL

Score

10^/10

xloader ntfs discovery execution loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ntfs

Decoy

cast-host.com

sheenwoman.com

cateringpairs.com

butikgamis.com

esd66.com

beautystaze.com

findavetnearme.com

lyketigers.com

nesboutiqe.com

jadeutil.com

survivalfresh.com

realestatebramlett.com

glorynap.com

awards.institute

huangtapps.com

beyondwithyou.com

cryptocustomerhelp.com

plataformasoma.net

lstpark.com

noalareelecionindefinida.com

Targets

- Target
  
  427b6129f42722d768ebf07bcd966939120313f08e3c5b0c857644f6c2a51693
- Size
  
  349KB
- MD5
  
  f9bfc7f212a6cd22360e1490f555fbdd
- SHA1
  
  24ea648fde606a1ace9716649b9dc2e40ed90b21
- SHA256
  
  427b6129f42722d768ebf07bcd966939120313f08e3c5b0c857644f6c2a51693
- SHA512
  
  6da89c186e10f47c664a2c633b22deae1dad36a8eaa8b2c3d1d3c882e13d56c79f6f65eb7d2252c2ed37ac081d23008553867f2a3c37cd98a829434d14e1527b
- SSDEEP
  
  6144:V4gfheNKl88ef0pNNZ9N2sHjvXIDRqzFQboylBMZ4inoMvXClY:V8Nmqf0ZZPSiEo54ino1C
Score

10^/10

xloader ntfs discovery execution loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloaderntfsdiscoveryexecutionloaderrat

behavioral2

discoveryexecution