xloader | adfc1312ed080bcd3fff720269f3c544b5f33194acb71f36b2393d85eeedc34a | Triage

Sharing

General

Target

8e71e9516683fb3becd0c6cdf5a9fa64_JaffaCakes118
Size

419KB
Sample

241104-bqe15symht
MD5

8e71e9516683fb3becd0c6cdf5a9fa64
SHA1

1f4aa8b7878e19c26e11a9001021975f5c2adca0
SHA256

adfc1312ed080bcd3fff720269f3c544b5f33194acb71f36b2393d85eeedc34a
SHA512

fa130c1e05c5a438dc5b8081d409d377298603e95a33f946460fbb3e0c88e824c49b02a06f6f11d19d9736eb6e728f79aa8542f3ef27962d24911c2182c465c8
SSDEEP

12288:AH3sPiRmMzP7J55msJ/yU43aOBxijnKtpqRRrrOXpr:Y31mMRXh/yxqOBkj4qRRr6XJ

Score

10^/10

xloader ur5u discovery loader persistence rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ur5u

Decoy

365happyday.xyz

maxiemier.info

desarapen.com

manjalmatrimony.com

developingservice.com

cxdnl.com

srlwujbj.icu

couldve-wouldve-shouldve.com

cruzingtovazquez.com

nishifleurs.com

ssgasi9a.com

jiantxcallbackc.com

myonlineslotsfree.com

kiahhco.com

extra-times.net

tvfenxiang.com

fluid-branding.com

esquire-capital.com

arvictories.com

energyvibrance.com

Targets

- Target
  
  8e71e9516683fb3becd0c6cdf5a9fa64_JaffaCakes118
- Size
  
  419KB
- MD5
  
  8e71e9516683fb3becd0c6cdf5a9fa64
- SHA1
  
  1f4aa8b7878e19c26e11a9001021975f5c2adca0
- SHA256
  
  adfc1312ed080bcd3fff720269f3c544b5f33194acb71f36b2393d85eeedc34a
- SHA512
  
  fa130c1e05c5a438dc5b8081d409d377298603e95a33f946460fbb3e0c88e824c49b02a06f6f11d19d9736eb6e728f79aa8542f3ef27962d24911c2182c465c8
- SSDEEP
  
  12288:AH3sPiRmMzP7J55msJ/yU43aOBxijnKtpqRRrrOXpr:Y31mMRXh/yxqOBkj4qRRr6XJ
Score

10^/10

xloader ur5u discovery loader persistence rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloaderur5udiscoveryloaderpersistencerat

behavioral2

xloaderdiscoveryloaderpersistencerat