xloader | a4336bf3d57e83de94cf7e76c06df4b04f6041e646b073d873e6746f61743a0f | Triage

Sharing

General

Target

a4336bf3d57e83de94cf7e76c06df4b04f6041e646b073d873e6746f61743a0f
Size

686KB
Sample

241121-zc7e8s1ram
MD5

e8ba66294d12279e421be167524a1443
SHA1

44e983e48948b2e5ba41d52acbbe73d207d516fb
SHA256

a4336bf3d57e83de94cf7e76c06df4b04f6041e646b073d873e6746f61743a0f
SHA512

88a64c6893321fb0441f8376c590e77503a53c92d1f969c94019baeedac4edda8f071ae0e89d4c8fcc3cd145d3886fd5dc9cf880a8f0016ab5ca3bad3a0347a8
SSDEEP

12288:YW4oqJqGrHx6rhAl04AjMoT2l9ujFBz9CKUP/2cDRO6nmMjGczRLhITZ7b6qrN:GoqhxWhvjMoTEm3k7/VDROamQTmZ7bhh

Score

10^/10

xloader nbm3 discovery evasion loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nbm3

Decoy

3881a.com

abutuandui.com

halo-airs.com

nu865ci.com

fssqyd.com

pacificsunseattle.com

sellyourfobs.com

eniso-team.com

ciscenjedpffiltera.com

furriekids.com

dspotsg.com

amanispartydecor.com

wrih.top

rab-verlopen-pas.icu

alircep.com

rangeroads.com

bugattiveyronhypercarnft.com

dominera.net

jux565.com

licenseoriginal.com

Targets

- Target
  
  f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70
- Size
  
  1.0MB
- MD5
  
  9d73b42ce002d0964ac552c4a8be3652
- SHA1
  
  86942687836cc75e082399acafefcf17f40c6606
- SHA256
  
  f5627afaa1bd709c0472ba296cf90e93f743d58959461eec26ba7b62e7486c70
- SHA512
  
  4d768f775e56ca96898657d908c062056f94c69e8765bec277df6c5f9f359446771c17988488836c7e7c281200ced151983e1b690161bd60ff9f2394715889d0
- SSDEEP
  
  12288:Wx76RAQOEhGkEHIxZEfzZXbpC+MRxkhxSU739+MAC80dRXXr3SONMTW2KgcYM8+M:YadgVOExA+LQG2CpzXXrNns
Score

10^/10

discovery xloader nbm3 evasion loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Looks for VirtualBox Guest Additions in registry
  evasion
- Xloader payload
  rat
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xloadernbm3discoveryevasionloaderrat