xloader | 70974bd6d34d52bf57b2c332540f80ad80c0b4b0b3fde33551d618fe2829193f | Triage

Sharing

General

Target

70974bd6d34d52bf57b2c332540f80ad80c0b4b0b3fde33551d618fe2829193f
Size

1.6MB
Sample

241121-ype13swlc1
MD5

e73412b2814516969b13c99191c71581
SHA1

dde7db794a779270c214596d7553d13650940cf7
SHA256

70974bd6d34d52bf57b2c332540f80ad80c0b4b0b3fde33551d618fe2829193f
SHA512

b4b5f66ebe5b15b96d29dd46cfafe0a3e3d1a7dc807013c1d000a7a84a8cd8703d95138b47475c511857b3b8978d127afda575cdfb0885607dde7677ac0b2d83
SSDEEP

24576:9x6i0dzjqYeiktfhv1X9eL3xQv7towhrDj:9A3dyBtfhNX9ejxQv7Lvj

Score

10^/10

xloader uuv8 defense_evasion discovery evasion loader privilege_escalation rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uuv8

Decoy

aktaxconsultants.com

earthingchallenge.com

skautz.com

howtousebeardbalm.com

benjaminpeto.com

houstonhighpoint.com

trackerci.digital

cherishedbuildings.com

raphiademadagascar.com

wewillbeaok.com

diyhelp.xyz

hl8mkt.com

karensoansemusicteacher.com

duibuqinibaoqian33.xyz

genslerhop.com

lmi-russia.com

deeptissuemexico.com

sienddo.online

4002poinsettia.com

sleepcatcherzzz.com

Targets

- Target
  
  PDF_Scan-AWB#5305323204640.exe
- Size
  
  1.6MB
- MD5
  
  fbd0913a7ff1c25f30509841f784ba06
- SHA1
  
  65384b25ec04d910d2f1dea75692477a9e95d645
- SHA256
  
  823cba52fb307afbd762ff01b52ca62586a126065f2a914c5e6b1ce3c203ba8e
- SHA512
  
  ea4b1cc7b45e78982146a84f2d10b118d51957ad0966b6248225aab0b39f5ac17aa3a055c79d677b6182b38239dfe297c76514d676aa2a2094b4bce029ef8901
- SSDEEP
  
  24576:Qx6i0dzjqYeiktfhv1X9eL3xQv7towhrDj:QA3dyBtfhNX9ejxQv7Lvj
Score

10^/10

xloader uuv8 defense_evasion discovery evasion loader privilege_escalation rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Looks for VirtualBox Guest Additions in registry
  evasion
- Xloader payload
  rat
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

Create Process with Token

Defense Evasion

Access Token Manipulation

Create Process with Token

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloaderuuv8defense_evasiondiscoveryevasionloaderprivilege_escalationrat

behavioral2

xloaderuuv8discoveryevasionloaderrat