xloader | 587dbf96979d7f8de55234e0b9c2f41332ecbfcbe9260b5ed2ddca34bfbc4391 | Triage

Sharing

General

Target

587dbf96979d7f8de55234e0b9c2f41332ecbfcbe9260b5ed2ddca34bfbc4391
Size

676KB
Sample

241121-ysw4rswmdv
MD5

69d56c80ff5b930a05f94752415affa9
SHA1

a1f99148e6d121cfd4fa4de2d78df4476cb375ab
SHA256

587dbf96979d7f8de55234e0b9c2f41332ecbfcbe9260b5ed2ddca34bfbc4391
SHA512

1d9ebec2d56dfe341a2ea1bf897552d329127b0949c39733ca9d42433f2b00599f05b1ab7b9fb577bd2d96565cff6d8cd40dd3d05e04a8b356e5b6a12b55c3a5
SSDEEP

12288:Vo2H3ngytUEeYiUibVXaGOFqd5OAQ7TdgPjrRHsR0F1Xt50WcFlKkNYQB:GgthzwCFqLOAQ1IRxdt5iFl9CQB

Score

10^/10

xloader maw9 discovery evasion execution loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

maw9

Decoy

jaimericart.com

mayavantcard.com

romanzava.site

forefrontunderground.com

grafikirmarketing.com

airpoppoff.com

captureq.com

vph.ventures

historiclocation.com

theoxfordway.com

springersells.com

huther.mobi

networkingmaderas.com

reggatech.com

dollfacela.com

moneycrypt.net

calidad-precio.net

hamnsk165.com

victoriabrownrealtor.com

itechfreak.com

Targets

- Target
  
  HAWB AND INV.exe
- Size
  
  724KB
- MD5
  
  42662765a94ce5ece11529509f937711
- SHA1
  
  da57dd4c137c47fc9b906caaf067c6ed13fa2da6
- SHA256
  
  2138325dd5e2825ee4086187a944af336476b0327e1ddae7563bb24523836e08
- SHA512
  
  101d7bb5f778e779133f005c801fa26cf1bc147fed9f2774808526c50b3ae8e12863bc7ee3dfb060153d4b0b3a5ef66f357e44d477e1558060fe54df990b4b95
- SSDEEP
  
  12288:vFAPrYNczrMFJxdNkJ41cx7acIXBFwbk2ldYaZPCwdwfPyfK8vW6M+:vFAjYysyCcGTqnCfPwK8vnt
Score

10^/10

xloader maw9 discovery evasion execution loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Looks for VirtualBox Guest Additions in registry
  evasion
- Xloader payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloadermaw9discoveryevasionexecutionloaderrat

behavioral2

xloadermaw9discoveryevasionexecutionloaderrat