xloader | 018116eae1d31c0b4ea252f45e266bee71a916715e023422b19ddc01413a8139 | Triage

Sharing

General

Target

018116eae1d31c0b4ea252f45e266bee71a916715e023422b19ddc01413a8139
Size

699KB
Sample

241121-y2bt7a1mam
MD5

faed7cffab128ddcc5cc2be62ca54999
SHA1

b9d6c84619c59230fe214853d0751a32e54bb15b
SHA256

018116eae1d31c0b4ea252f45e266bee71a916715e023422b19ddc01413a8139
SHA512

ebc588157c2d865fcd890f738903dd0c9c23c267e3f639ea79676e16d0d03772effc0e9d7b0ea40d61edd4f897a5d655ff74520b0df4817710fe6dddb417f88f
SSDEEP

12288:P3wIWvj/bGQleP60MvqEfN7ecx3JLDxxw3JPJdq6AQ+jZF6Ll94kYcpUF60iKqnE:PKb/bGmS6RvXfNNVLwZxdq6f+Xo7g6L2

Score

10^/10

xloader rm3m discovery execution loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

rm3m

Decoy

thaiontheflynj.com

khuramsheikh.com

zilrodrigues.com

15220fernave.com

killerinktnpasumo4.xyz

heartcircuit.com

tmhiz.xyz

renteralliance.com

0r9p.com

consixx.com

elleo-nature.com

millionairesocietyco.com

cigfinanacial.com

crushcovid.info

dxalt.com

gutimautpribuinrop.com

intenter.store

29977app1.com

tbdlsb.com

bubblersonwater.com

Targets

- Target
  
  2acb4f9298ffd24c281b1c897788fba7b6d1d95d8e6e7c7c1ec18aecbda92147
- Size
  
  733KB
- MD5
  
  dbd7cc7bcce10baf20d105c7d0e8f762
- SHA1
  
  79de6f146f60f678db7d07937de42536009b9aa5
- SHA256
  
  2acb4f9298ffd24c281b1c897788fba7b6d1d95d8e6e7c7c1ec18aecbda92147
- SHA512
  
  b888ac1ff8dd1d7cd542f8c89d5a296090b7ba000d708d6ce26b451269d33f1831c298c105064a11b7fcf4eb8b575a9bda0e4ce304734fc2284d8057a1fc4d42
- SSDEEP
  
  12288:rlyru7rbXQvc14U3Ogtu/bcJodeStHugVlNKNQ7idzOVIHmfE6wqe3xYPj0U1:Bya7XX4PU37tu/zeSGjOV9fE6ECPoU
Score

10^/10

xloader rm3m discovery execution loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloaderrm3mdiscoveryexecutionloaderrat

behavioral2

xloaderrm3mdiscoveryexecutionloaderrat