xloader | db3661bd4ea32a52f0b42d59a4b320b1292cc1645ebb282b3bd15f81a17d62f0 | Triage

Sharing

General

Target

db3661bd4ea32a52f0b42d59a4b320b1292cc1645ebb282b3bd15f81a17d62f0
Size

390KB
Sample

240904-vqe6pavfqd
MD5

ecd661c1e56d9ca6ed8cf46fcb7c4fe9
SHA1

b1bae4e6b4218f1b672cd2a7e52d1319ec02a0be
SHA256

db3661bd4ea32a52f0b42d59a4b320b1292cc1645ebb282b3bd15f81a17d62f0
SHA512

c2cebe49c7e92f3d09f7d1f1ec0d65f43d84257a55126d5b96d4cb27159e3e4d012648ba5a68ee1b2123ad53bb81a98422394d752e292c8d9703fc70a07fde1d
SSDEEP

12288:HL8VhmHuvuJuhmgh+iRIkVqo91YQqJmay:r8rmHuAuhPjRwo91YbJmT

Score

10^/10

xloader gab8 discovery execution loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

gab8

Decoy

amateurfeetworship.com

big-food.biz

metaversevolution.com

profecional-pacasmayo.com

royzoom.com

bekindevolution.com

hokozaki.com

waltersswholesale.com

wayfinderacu.com

schnurrgallery.com

babygearrentals.net

imggtoken.club

24x7x366.com

lakiernictwo.info

les-cours.com

dwticket.com

onarollshades.com

ramireztradepartners.com

safarparfums.com

6ngie.info

Targets

- Target
  
  441093812c61d7d3698c2f3288a0b8e24e9082799c078e09b284f2a656a241ae
- Size
  
  487KB
- MD5
  
  0bbbe187772939439ccbe2c4dcce4021
- SHA1
  
  05dae50f46c10370b83f82f5795841d980964bf5
- SHA256
  
  441093812c61d7d3698c2f3288a0b8e24e9082799c078e09b284f2a656a241ae
- SHA512
  
  ffc89f0e388948cd2564b5ca19c995567c3a73a8ab9feebd9bc7c1f87fd2db5ccaef1316c6e0c6987ab437a5f2061d3c0a3feb1104eca7d8454c8c27d348c7ea
- SSDEEP
  
  12288:q8r4IuZ6q4rHmBfZOAZdY7qTBu9xuKVbZ0PgvW/qCj57r8Ehh7IAUP5ViA/if49C:qlKeWgxpi7BVvM0Yqeskkw
Score

10^/10

xloader gab8 discovery execution loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloadergab8discoveryexecutionloaderrat

behavioral2

xloadergab8discoveryexecutionloaderrat