xloader | ac00f76b8b9b7a4da749a85063b49c446b4b50e9837907c737a4675bcee43c3d | Triage

Sharing

General

Target

ac00f76b8b9b7a4da749a85063b49c446b4b50e9837907c737a4675bcee43c3d
Size

4.4MB
Sample

241121-y432fs1nbq
MD5

99aa342771928acf2d245a78e95d7ffe
SHA1

14cd538764217cb2f09603ec2196ad971fbdbe8d
SHA256

ac00f76b8b9b7a4da749a85063b49c446b4b50e9837907c737a4675bcee43c3d
SHA512

8e42c097b0cb7ccab4ec647d28ffd894f7e20bd7bec5ba6482dc8d243f4b9a493840034947d12a92e1ceca8224a255f481de25e5a79bcdb1587feb36dcb49f21
SSDEEP

98304:HjFozT4IL4RgZ3iOV17dWXeVBMeQjjHDoP58U2/1uDVM3gYfIMFzBj/E+oKQo/:DFrIL4+SOV1hWqBMeI708L1aVQMGBjcq

Score

10^/10

xloader avc9 discovery loader persistence pyinstaller rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

avc9

Decoy

thejamalpur.com

oneofthemthere.com

instaleadsolutionsllc.com

dorchestercountyhomehunter.com

digirmbbank.com

taeheavyequipmentparts.xyz

topless.cloud

heatherhuntercoaching.com

pennysworld.net

auirz.xyz

conserfic.com

haroopet.com

perazabenefits.com

tuftmultimodal.com

quanlailai.com

revealsonwheels.com

rafaellaepedro.com

cowbex.info

cobject-studio.com

odp.xyz

Targets

- Target
  
  13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69
- Size
  
  4.4MB
- MD5
  
  57c89dd8d8ff1fd5192ce1c48c3acbd6
- SHA1
  
  c3a94aedc5fce3afdafe25ac648f3579e71cfaf3
- SHA256
  
  13d97308ca4e87d31024b1fcbfca7f7fdac365a4bf2264ca18499847d411bb69
- SHA512
  
  bdb1017d539ebdaf39b921ce580d064bd5d148d53def3c0b6879b469e798b212b70e334026c33bf5418afd40a507becb0898df2848b17ec3c961bf2e8bc32479
- SSDEEP
  
  98304:l+/nt0ET4PHnq6UYWqq0e/m5Si4/lmBcRC3HnkSR5lxrA7SFqIG:g/Gd/UYIX+5SiWlUL39V67SF
Score

10^/10

xloader avc9 discovery loader persistence pyinstaller rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloaderavc9discoveryloaderpersistencepyinstallerrat

behavioral2

xloaderavc9discoveryloaderpersistencepyinstallerrat