xloader | 0cb70c2842d361eff4d971e809911969086a71824cc422f98cbc8b924713463f | Triage

Sharing

General

Target

ea5a7ad0dcd55d7835d3649b9dfcd51e_JaffaCakes118
Size

398KB
Sample

241213-hcc3ys1lcx
MD5

ea5a7ad0dcd55d7835d3649b9dfcd51e
SHA1

cf6feba3fd6e5f0cf7cee84f4a216f33960e45db
SHA256

0cb70c2842d361eff4d971e809911969086a71824cc422f98cbc8b924713463f
SHA512

bff9e57c2344cf7e84e2545d8b5d82d16374eee9be5a705c0a6cb69979dbcb7c9a583b09799363f61362afa673d2c5a1180900222c84aaf2f5bca6f982218759
SSDEEP

12288:5TIl1db2YCs2vycBplnjzafiyr3uLWgbROehqa:5Kbh1uVyr3bgACB

Score

10^/10

xloader nins discovery loader persistence rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

nins

Decoy

wingsmh.com

honeyconstructionmanagement.com

aizaibali.com

twelve11transportsllc.com

aadetermatology.com

sarahdewald.com

si-kap.online

imperiummetal.site

srysyoga.com

fbirelationship.com

drtracielashley.academy

jrgsestates.com

affordableseo.club

triggerfingerboards.com

halalmine.com

shopdogwoodhill.com

qad.info

nocraphere.com

misskarennglishteacher.com

march.wtf

Targets

- Target
  
  ea5a7ad0dcd55d7835d3649b9dfcd51e_JaffaCakes118
- Size
  
  398KB
- MD5
  
  ea5a7ad0dcd55d7835d3649b9dfcd51e
- SHA1
  
  cf6feba3fd6e5f0cf7cee84f4a216f33960e45db
- SHA256
  
  0cb70c2842d361eff4d971e809911969086a71824cc422f98cbc8b924713463f
- SHA512
  
  bff9e57c2344cf7e84e2545d8b5d82d16374eee9be5a705c0a6cb69979dbcb7c9a583b09799363f61362afa673d2c5a1180900222c84aaf2f5bca6f982218759
- SSDEEP
  
  12288:5TIl1db2YCs2vycBplnjzafiyr3uLWgbROehqa:5Kbh1uVyr3bgACB
Score

10^/10

xloader nins discovery loader persistence rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloaderninsdiscoveryloaderpersistencerat

behavioral2

xloaderdiscoveryloaderpersistencerat