xloader | a731201c494158fd9f3b137b67db02ad541ff8faff0f4b26d66d5234027abb60 | Triage

Sharing

General

Target

a731201c494158fd9f3b137b67db02ad541ff8faff0f4b26d66d5234027abb60
Size

552KB
Sample

241121-y565ha1ngl
MD5

02d6a3b0f8437d346e9ac47c6e3c30db
SHA1

6185990c7684ff45314341d2e8755bb165533308
SHA256

a731201c494158fd9f3b137b67db02ad541ff8faff0f4b26d66d5234027abb60
SHA512

f19c3652089ae32df42e1b2a04a0b6c56054c03d2c7997e9a81f5eb7f645ee9d64036e70e654086519d1dc200ae126a7877e0033d9568ab408be440d95e90373
SSDEEP

12288:iq/y4yBO3/Zeis3jdciLS12l2SAWg9udOYOI5tw5fpDgg3u5JT:4z3jd3qpudOOChDggKJT

Score

10^/10

xloader ohi3 discovery execution loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ohi3

Decoy

itaewonbrunchbar.com

spectrosam.com

vanita-bavaria.net

kovrikydoma.store

tilthespire.com

aichuanghuan.com

healingyourbodynaturally.com

1790thirdavenue.com

zollogistics.com

inden-shop.com

fmhra.online

blenbigs.com

ofedward.com

efootball2021-eventpesmob.com

sutas-tr.com

ampersandcraftsuk.com

roofingcompaniestampa247.com

whwkjmhy4f.com

gngifts.com

bellezamarket.store

Targets

- Target
  
  DOC09178236_20210922.exe
- Size
  
  734KB
- MD5
  
  38cb740b60d846d2a14a49021a10e164
- SHA1
  
  6d1b170fb830773cb750944938f2ada14499fd07
- SHA256
  
  d27692420e58cdd646e9a5bd19618387395ee4bc63d10bbe14fe3548e4546889
- SHA512
  
  4a4a8f86e7fe559771d401766b4df2f9e194f670222156330f150d72677b92b353d27d8ab43aadd0facae1babc3603bf78bb6e714be559cd9e56294384bbc1ce
- SSDEEP
  
  12288:hCmtiK5oKB2GisSjdcBL91Wl2sAzx9u7OSOI5ow5fpvgy2k:M+Fo62oSjd0nJw7OVChvgy2
Score

10^/10

xloader ohi3 discovery execution loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloaderohi3discoveryexecutionloaderrat

behavioral2

xloaderohi3discoveryexecutionloaderrat