xloader | 63cf1848649840b25d392395e4b743461048703f616aebb495a050de117c6a0e | Triage

Sharing

General

Target

63cf1848649840b25d392395e4b743461048703f616aebb495a050de117c6a0e
Size

627KB
Sample

241121-yx89ws1kgq
MD5

a192594b5d320cdbc4ba71116aec8320
SHA1

9dc9164aca03ebbdbdc198384ddf8e9df15c2da2
SHA256

63cf1848649840b25d392395e4b743461048703f616aebb495a050de117c6a0e
SHA512

86c413f1641033a21659a61d1762303a4b4e7e31a3b0d2e75176dac6f9c0e5a399c0d504be5e8211e38e97bdf1469fab00872dc0a7e1f3b726efd46920e83f67
SSDEEP

12288:CiWnYhYPin86HMvMemTbNhQ9IAxPnKGMksFqbF9gHbjCAm:Cibr86HS/mfMIAxPnmxFqhYpm

Score

10^/10

xloader s6ap discovery execution loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

s6ap

Decoy

treika.com

xsacn.com

yokutoku.info

cao-catos.ca

summarizing-tool.net

owes.website

doortodelivery.com

minimixblocks.com

irinaorhideya.com

mayerohio.info

godofearth.love

byrdraffst.quest

cavalodomado.com

combatcollective.com

relianceroofsnashville.com

play-google-pokermatch.site

farhadhossain.us

remaxgreatplace.com

usati-consultec.com

improvizy.com

Targets

- Target
  
  93fc1e9b8d5d2c69a370b875315b2537406fcd6a86dac8179f20b52eb831fa14
- Size
  
  714KB
- MD5
  
  22609b8f24553de795041675c857c575
- SHA1
  
  9c6696600f3158ec526fcbcda3b5eb9acd5c8453
- SHA256
  
  93fc1e9b8d5d2c69a370b875315b2537406fcd6a86dac8179f20b52eb831fa14
- SHA512
  
  2337701962dfb08d65263b214dc6ce6a4a897001b3b59a4a0c607c8d7f8201d6bd26dec5dd397e8e621b24c327b903be4afde802c94adbd3445ff2f697e75941
- SSDEEP
  
  12288:35VkoEggqlkbCfPaRZAb6QsRUxZhC0HRM5yG1qjyu/9gdz56BJquqc42SiND3zr:kgeCfS46/OZh7xM5yTmk8kBJyr2SYDjr
Score

10^/10

xloader s6ap discovery execution loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloaders6apdiscoveryexecutionloaderrat

behavioral2

xloaders6apdiscoveryexecutionloaderrat