xloader | 1faca62436ef49b904a73d51088da2aa51825c854f6dfb0916ddebc550d79b37 | Triage

Sharing

General

Target

fe4f79a87c731022ff87a08dedc5fccc_JaffaCakes118
Size

539KB
Sample

241219-ebjybsxlcq
MD5

fe4f79a87c731022ff87a08dedc5fccc
SHA1

69387e92209bf6820f3daa0107359555ca8bc63b
SHA256

1faca62436ef49b904a73d51088da2aa51825c854f6dfb0916ddebc550d79b37
SHA512

f075626de6bdbf4a3c712e85c9c3f03410e62edf5b6c292eb1cffcb494ac64881297d6b3dba6053e44350f75aa39d8154b686eff7764eb81a631e327fdb78252
SSDEEP

12288:ojYTbhetS4ynTUF7+1lMCYTJQCvFu8SUG0zY:ojGhetSXnTwAl5fCvFnSU

Score

10^/10

xloader tows discovery execution loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

tows

Decoy

affordableorganizing.net

airstreamnear.com

mindequalsmoney.com

ganleychevybuyscars.com

g17cp.com

flahertystudios.com

jermainemyersonlam.com

ivermectinbuyonline.online

leapconfront.com

rosevillerose.com

fjlypc.com

jugnievents.com

fulvicgump.com

lawofficeofgeorgeefootepx.com

cityinfoyellowpagesnepal.com

thenorthfacesale.online

citadel-soft.com

real-estate-lake-tahoe.com

middleeastclean.services

xinsufu.xyz

Targets

- Target
  
  fe4f79a87c731022ff87a08dedc5fccc_JaffaCakes118
- Size
  
  539KB
- MD5
  
  fe4f79a87c731022ff87a08dedc5fccc
- SHA1
  
  69387e92209bf6820f3daa0107359555ca8bc63b
- SHA256
  
  1faca62436ef49b904a73d51088da2aa51825c854f6dfb0916ddebc550d79b37
- SHA512
  
  f075626de6bdbf4a3c712e85c9c3f03410e62edf5b6c292eb1cffcb494ac64881297d6b3dba6053e44350f75aa39d8154b686eff7764eb81a631e327fdb78252
- SSDEEP
  
  12288:ojYTbhetS4ynTUF7+1lMCYTJQCvFu8SUG0zY:ojGhetSXnTwAl5fCvFnSU
Score

10^/10

xloader tows discovery execution loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloadertowsdiscoveryexecutionloaderrat

behavioral2

xloadertowsdiscoveryexecutionloaderrat