xloader | 718ecafb4eeaccb9cb20adcd293afac1ade2a3deb818e02b43ef52facb388612 | Triage

Sharing

General

Target

718ecafb4eeaccb9cb20adcd293afac1ade2a3deb818e02b43ef52facb388612
Size

228KB
Sample

241121-y7q63axjez
MD5

e9b3a85bab609a87d6292f963efecc7f
SHA1

1956394c892dae29147a75cc3e5e1c7e3dd36c86
SHA256

718ecafb4eeaccb9cb20adcd293afac1ade2a3deb818e02b43ef52facb388612
SHA512

208f3653605f0b28b7ebc8a72191f2104a3d41773ba90c4295f53791824f8f85b67296f07791a53fc39b91d835d56de80190a428d8fe5b6c545a2c90ad52c144
SSDEEP

6144:IZmYVhQIT4UMMhkDEAcufHMRrFlP6QRfb3n16CXsP3Nc4YWP:ItWQRMQkIZu45Yufb16CXsPdc4YW

Score

10^/10

xloader hxn2 discovery loader persistence rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

hxn2

Decoy

janenoelleneedleworks.com

albedocoin.com

helennbendiss47.xyz

democratizabais.xyz

knellarraywoad.com

vehicleweek.com

cablevid.com

sigmagrup.com

cesarchavezeagles.com

centrocomercialgranadahills.com

theherotea.com

ozarkdemure.com

27mpt.xyz

expansionsound.com

fablebuiltbrands.com

rockyzpizzagyro.com

velociget.com

suntioil4u.com

salvationshippingsecurity.com

spares245.com

Targets

- Target
  
  db2eaf0d8a8a9f2856d9a9b0cc9ae7c9aaf35c86_1648765408695.bin
- Size
  
  242KB
- MD5
  
  b4536ff04a41cb627463ed157b9c7521
- SHA1
  
  db2eaf0d8a8a9f2856d9a9b0cc9ae7c9aaf35c86
- SHA256
  
  144d8b9e77f9c36dbd271d84635cda3eb22b470dbb64e63b1e898041743918fa
- SHA512
  
  c963ebfa9fcf119c4eef7f2c17266ce25b0e6e9554dac1da7e7098a7ff2e7af3c07cf70a913f386f2884208394f6035e282d128c59ded256d464b85d8fa549a1
- SSDEEP
  
  6144:HNeZmCatx5SFXIcsCbeA79KHt8SCfqlmDwB/NCl:HNlCIx2XIcsrk9uyFwNI
Score

10^/10

xloader hxn2 discovery loader persistence rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  pqnrmmq.exe
- Size
  
  5KB
- MD5
  
  ffe904bebf87531f8e5214b8b50aa7a9
- SHA1
  
  7ef3ca140c73dce0c7de875493be90a01e60ec48
- SHA256
  
  77f25d6adedeeefda3e4d103be5f19f1c227108216565a4d21135d31d5fc9e38
- SHA512
  
  3091041178650aef9b2bbaeaaf2a43427eb2f17f5d79daf67d8f3d812e7a5f3ad1939b31b5305dba432703d1d634ff9a6401f4cc5a363b8c5762272b24ba2b50
- SSDEEP
  
  96:B9WSoj4OORqz0l99c9bGupH5Jq76PITuWaYVRn:ws7qKybJfq76PIH
Score

3^/10

discovery
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloaderhxn2discoveryloaderpersistencerat

behavioral2

discoverypersistence

behavioral3

behavioral4