xloader | 00094c5f5f67e1a091ddbdf88ea507bae9ee4bdb06a0306e27ba4b9285c6e13b | Triage

Sharing

General

Target

00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe
Size

857KB
Sample

241204-qqa5hswqe1
MD5

db0596af906c0293eeb802af1bc3ba4c
SHA1

60540d0eedf061c4b22a3144f36cc8a23dfaab9c
SHA256

00094c5f5f67e1a091ddbdf88ea507bae9ee4bdb06a0306e27ba4b9285c6e13b
SHA512

032eadb161523bd15650823bc9b50e51c3d73d8c247c489199cfa800511cecf5568bdb7b5531acf430973a8b5cd0cd109087c85446311486c0b23575fdc7f4ed
SSDEEP

12288:Pay+JMdzTJnZU55m7hDZ/JY1JKuqMs5JPxpn8RzgiH59UhSY:iTJs/vUulYyuNs5Jxpn8RHZ

Score

10^/10

xloader ahge discovery evasion loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahge

Decoy

zlh.biz

suddennnnnnnnnnnn11.xyz

okanliving.com

shopeuphoricapparel.com

hcifo.com

haciendalosangeleslaguna.com

shineshaft.online

monclerjacketsusa.biz

uwuplay.com

psychicdeb.com

adonlet.com

theprogressivehomesteaders.com

ammaninstitute.com

sqpod.com

tropicbaywatergardens.net

yna901.net

3christinez.online

tastemon.com

karansabberwal.com

delegif.xyz

Targets

- Target
  
  00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe
- Size
  
  857KB
- MD5
  
  db0596af906c0293eeb802af1bc3ba4c
- SHA1
  
  60540d0eedf061c4b22a3144f36cc8a23dfaab9c
- SHA256
  
  00094c5f5f67e1a091ddbdf88ea507bae9ee4bdb06a0306e27ba4b9285c6e13b
- SHA512
  
  032eadb161523bd15650823bc9b50e51c3d73d8c247c489199cfa800511cecf5568bdb7b5531acf430973a8b5cd0cd109087c85446311486c0b23575fdc7f4ed
- SSDEEP
  
  12288:Pay+JMdzTJnZU55m7hDZ/JY1JKuqMs5JPxpn8RzgiH59UhSY:iTJs/vUulYyuNs5Jxpn8RHZ
Score

10^/10

discovery xloader ahge evasion loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Looks for VirtualBox Guest Additions in registry
  evasion
- Xloader payload
  rat
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xloaderahgediscoveryevasionloaderrat