xloader

General

Target

49de1052f457153b3e0de091d9658354b80ef0312bb3a74377c6565c4b68b5b8
Size

395KB
Sample

241121-zbtsra1qgj
MD5

ae15f0dd6c2476ec317ff8b4b4553806
SHA1

7931c69a23da1638a20c98659682e63adbbc2dc3
SHA256

49de1052f457153b3e0de091d9658354b80ef0312bb3a74377c6565c4b68b5b8
SHA512

813be7e288384406d74626a7aa337ff1063f0e1067e2d817fa8e4ff7fec6c9e518f6f834a5f12e704c0ef4094ca36be4b92f66806bc45fa4cfde7ea15afbed2c
SSDEEP

12288:kAcmrjF4Bd7jWROFceURr75vVrsCpywEtK:kDyF4BYSqFvdsuyptK

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ns87

Decoy

hcjn998.com

y963257.xyz

upcrunchnow.com

adornor.online

boyhunters.com

mchaskell.com

bayanescort.xyz

jovinodossantossite.com

hubhosted.com

evertownnycapartments.net

mgav40.xyz

lfykjx.com

asscheekspizzaboi.com

chinacxq.com

abovecover.net

listingswithalex.com

hhcreativeartsociety.com

aryanagasosa.xyz

caesarpro.com

junanbolsas.online

Targets

- Target
  
  vbc.bin
- Size
  
  575KB
- MD5
  
  2986502fc991bed7cc87122bc481d5b4
- SHA1
  
  45d8d4498052803984a49f880d874c659945fc0c
- SHA256
  
  45de0a47d8bee8de67d818ea239f0f9c934c3299be3c3faefacb9e1e4800078c
- SHA512
  
  54f3fc749923be12396af61b64bbeaf5b12e290159960517989b79d882d4a1ed2af6045a85987ac615b9da1d9232d63db5ceacbf4c907b5fd33735575c75a3d8
- SSDEEP
  
  12288:zBqlwSPINx9zVGr5rg3xcnX5pPhdc2WjgDw:yDIxfErgAXc2WjgDw
Score

10^/10

xloader ns87 discovery loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Deletes itself
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Xloader family

Xloader payload

Deletes itself

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2