xloader | 289b036086e7234bc1f7a6013d87220132f31abd768e9003cd9b80e032c3ed88 | Triage

Sharing

General

Target

289b036086e7234bc1f7a6013d87220132f31abd768e9003cd9b80e032c3ed88
Size

738KB
Sample

241121-zcklgaxldt
MD5

9ac6e1f4fe3d44c38dfde134286ff44e
SHA1

dead2e0732f659e14db0ba744cfc3cd5d4487f6b
SHA256

289b036086e7234bc1f7a6013d87220132f31abd768e9003cd9b80e032c3ed88
SHA512

4da6e633672b263da4c06704aa711dc80984b5c17ae9fdea977d4cbe673865718045ae6e5c7700029c7dbfe385e24ee805528820ebb56bbd3f2ac75c1b05e11e
SSDEEP

12288:YS0w8dphtMXj0KQ18XoR6AfAKTi4wyghGd0HY1sHVVk6MP5L2yNpQRCxDh:YJdpr4gKpoLfAvZGdZ0VVkx7QRut

Score

10^/10

xloader shbc discovery execution loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

shbc

Decoy

ccee77.com

rkfb11.website

dhanwantarifirstaid.com

lindakmiller.store

cedarparkproperty.com

one9online.com

universecells.com

spanshlifepace.com

eternityprivatewealth.com

rocknripple.com

lk-safe-keepingtoyof6.xyz

settacorp.com

bhy8.com

hxkpcom.com

woyaobudan8.com

geleisi168.com

movilitatelectrica.com

jhesuveels.quest

nijigenutopia.com

odlublina.xyz

Targets

- Target
  
  d080ca9f39e30376eebb0d8a0c171ef29f24b5d3aa3b7c7f5ff35f6af9d67b1b
- Size
  
  877KB
- MD5
  
  79a8396afa4bafa7fa10abf4d9742460
- SHA1
  
  0b44500dc9152a7fa8a26243e240e63a46097d41
- SHA256
  
  d080ca9f39e30376eebb0d8a0c171ef29f24b5d3aa3b7c7f5ff35f6af9d67b1b
- SHA512
  
  8b24ff09b77cb0bf7c8cfde7cbcf3c285370e7390452dc2dfeba18d588a93c17ed3196b61e3d9a58bf3fdc4bf136a38910b09af83523ceea0fbf28277e8631c0
- SSDEEP
  
  12288:wgEf1smrkBTZsJwO80kgSxeZgitF1McwLVmadIdzZjOUv0wOf3gq8jqGJ5g7d6D3:UzrvJw6k1xIEpRazBd1sjE5g7d0Cq
Score

10^/10

xloader shbc discovery execution loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloadershbcdiscoveryexecutionloaderrat

behavioral2

xloadershbcdiscoveryexecutionloaderrat