xloader

General

Target

ba89ade366c193b814186b75bcadc49c528f0c84a2bf9840b38870bc59835e1b
Size

1.3MB
Sample

241121-zb7plsxlb1
MD5

da088b6e7a59be375aeeae16daf75c67
SHA1

347c465cac7d0ed0b21490d2ff3e84198c53a723
SHA256

ba89ade366c193b814186b75bcadc49c528f0c84a2bf9840b38870bc59835e1b
SHA512

7233fbd5138c4ad1885c4b3beb28d4529e2505885d7e1e820e9226b9395a310b650ea58c1ec6eaf04ec2a7291a8e925f1442623478653dcbbd237752e09e0afb
SSDEEP

24576:0a2bAGVqfZdRz88Jwko33c3PNABId6nDNQbOJWgXcBXHPMnJ:0a2AGVqR2M565WE0XHkJ

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

vfm2

Decoy

swedishchess.com

vanlifedubai.com

srespd.com

aquaeyego.com

mipily.com

wolderland-technologiesmy.com

reidandwriteon.com

realtywithgeorge.com

thomasangelop.com

innotecon.com

alternativedata.services

shogohorinouchi.com

fuliba001.xyz

levelprism.com

auditocity.club

opmatix.com

eds.center

sophia-tokimeki.com

htbrasil.com

trueacademia.com

Extracted

Family

xloader

Version

2.5

Campaign

dgrg

Decoy

iot-vn.com

gamiteisnowjoyned.com

ak8flfqzm8.com

daliborkokic.com

mrk-9.com

tanzibkarate.quest

mburmtdvccti.mobi

thomas-wildlife-control.com

thebritenseries.com

hkkbags.com

redenyl.com

resilientbutterfly.com

nicethelab.com

xn--1lq90isray30ltdc.xn--czru2d

cyberews.net

naclepin2a.xyz

rodrigocoppa.com

hightings.com

chamaaibrasil.com

bdelsaer.com

Targets

- Target
  
  aoo.exe
- Size
  
  984KB
- MD5
  
  7900dcea134e84a16491a43722518b95
- SHA1
  
  4c904c97c6d806a86edebe06f0972a8f8d20d6d9
- SHA256
  
  c349c8a20c6576c397a5dff95fb121e7a16dfdd992e08694a4aacf387cf8c3e7
- SHA512
  
  099c086a8451d14df7f2fa9af3a953e5121e45206b8e0f4236414bd774db903763845072f80943fc43f269117a79c0363402114f5412402af74cad3b3ec840fe
- SSDEEP
  
  12288:iEx2iNB0O7yJ0JTlkSuiTgcuj0AzWxNAmydE7Cagkjc3p3srKEZGYKxpeQxx+qx8:71+kxkFHbJzuOdEGa3jc3p3Ap8djxU
Score

10^/10

xloader vfm2 discovery execution loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  vbc.exe
- Size
  
  821KB
- MD5
  
  d41735b66e58ebee18f4326df912e28b
- SHA1
  
  6ee2222ee26abd42c1112841975d2ecc2b09d0c6
- SHA256
  
  41fd6b520a4abc453b23329a134e661c39aa19b463dc28bfcbf52bf093661511
- SHA512
  
  40d7c1b90d61eecad860d040d03ef7c3a2ec67bd263f2f1d389ade99655dbd5c567983483c48e0b418d9ded7ced1eece6cc26baa75ce43413ebf520ce339dc15
- SSDEEP
  
  12288:vFvomht5eIvL6PIJFGMBwbNxZWgT2mn/N4ljTI8Lf8MWakiyfIXy6fsEa:tvvsWweFlBUWg/4lXuFWi6EE
Score

10^/10

xloader dgrg discovery evasion loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Looks for VirtualBox Guest Additions in registry
  evasion
- Xloader payload
  rat
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Uses the VBS compiler for execution
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral3 behavioral4