xloader | 7097c7689a872b74cc3eed23f91f1622c0789c12bf887b9a6298c4f49f19346d | Triage

Sharing

General

Target

7097c7689a872b74cc3eed23f91f1622c0789c12bf887b9a6298c4f49f19346d
Size

796KB
Sample

241121-zg3mvaxmew
MD5

3de259462a69a83b48ea51ebf35e5195
SHA1

d2719a1f8d44311ba23148f2b8d872aacb038ef4
SHA256

7097c7689a872b74cc3eed23f91f1622c0789c12bf887b9a6298c4f49f19346d
SHA512

c2e4f97ed7bee6a0f1e44721222db904ea56981341f1da9ef426091f6c1bc59706be23cabec339221597726315d2c57101256d8ee15119f8528e3f9a32d163ac
SSDEEP

12288:3uKPTtfpxazi/JFQ2WCZJ4j00OD7LL+cnKhhJlKR2y+CpsQIO1jlqVcBmCBCs4QX:3u0Yzi/J6OyBCLCcKk2yxZWVKmCosFX

Score

10^/10

xloader i6ro discovery evasion execution loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

i6ro

Decoy

annahve.xyz

636851.com

cngm7e.com

iloveapple62.com

zdbhl.com

becu84ts.com

buongpuso.com

qhwl2017.com

savarsell.com

anentbottskeen.com

vyounglighting.com

executive-air.net

elaish.com

ilmarijuanadispensary.com

online-bolgar18.com

qubtantoys.com

tkspoboys.com

hackensackfitness.com

bitcointradel.com

nightcanteen.com

Targets

- Target
  
  SWIFT k.bin
- Size
  
  1015KB
- MD5
  
  74edec99d7bf3b8c7d97d0a4d4d29b64
- SHA1
  
  444e8af17aafc45430e7051126480d60dfa47966
- SHA256
  
  0403e4b3772f23e41ccdde464fd1bfcedd517bd3c87f3f7652b2c55aee755376
- SHA512
  
  c374c62e51109ece72910644f4ac8094defdfbea3c8c456bc2983d55f692c6f0542593f4f00db434a660bbfe3fda0c52251ee0cb82ed6aa5209f10e4cbf42b08
- SSDEEP
  
  24576:fqeXxJ/Fl1+LZVCS+9ESK0NRmyMUfus6suP:jXxJ/Fl1+tGXNRLrP6f
Score

10^/10

xloader i6ro discovery evasion execution loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Looks for VirtualBox Guest Additions in registry
  evasion
- Xloader payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloaderi6rodiscoveryevasionexecutionloaderrat

behavioral2

xloaderi6rodiscoveryevasionexecutionloaderrat