xloader | 752966b8834739951d9ca0e169f7750b7d74363db3fb9e1af55ab44e692ad578 | Triage

Sharing

General

Target

752966b8834739951d9ca0e169f7750b7d74363db3fb9e1af55ab44e692ad578
Size

731KB
Sample

241121-ylwjnazpcp
MD5

b9bcec9c8fe1a86713973ff28d33f948
SHA1

ef8150b02a2cbde39a101c061b57a140a75cefa2
SHA256

752966b8834739951d9ca0e169f7750b7d74363db3fb9e1af55ab44e692ad578
SHA512

3f011256cc8e37faf2d685107ffb23595db26b7555969b11948b981d560dea9527c1ea16eb6f21672ec6fb8966e3900f1ac796478e45dfa1ed2610f6cd350538
SSDEEP

12288:kAykyaaHy4sd4PM/pMqZbe1w/dVLQ96zKlHIy2Oer+wyoGkK3NIhjadV82KwxG/P:kAAl9sWk/e48QdV86zKls+wzmNIhjadq

Score

10^/10

xloader pdrq discovery execution loader rat

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

pdrq

Decoy

welchsunstar.com

mppservicesllc.com

wiresofteflon.com

brabov.xyz

compnonoch.site

yourbuilderworks.com

iamsamirahman.com

eriqoes.com

eastudio.design

skyearth-est.com

teethfitness.com

razaancreates.com

shfbfs.com

joyfulbrokekids.com

kjbolden.com

howirep.com

deedeesmainecoons.website

e-powair.com

aheatea.com

shalfey0009.xyz

Targets

- Target
  
  81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a
- Size
  
  806KB
- MD5
  
  deaa34eaf2e31504aebbcc53af44d4b4
- SHA1
  
  4f47579328d55a56a8e69906b5deb3c3235865f3
- SHA256
  
  81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a
- SHA512
  
  fc338042c184d05789c5841893c47cf58f4cbf452fd2f649a5e04e7c1dd3cc2c3817940e574b1a09ba2ba5bc56ba27f6756a2f2818273354b61dcabb1f6e0f63
- SSDEEP
  
  24576:8INl0VrLH7hR7dVJm3LUYbyBWBAsXfIPJodP3CIzeg:3l0VrDXvGLUMBAsXfIhYP3CB
Score

10^/10

xloader pdrq discovery execution loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloaderpdrqdiscoveryexecutionloaderrat

behavioral2

xloaderpdrqdiscoveryexecutionloaderrat