Overview

overview

10

Static

static

dot.dot

windows7_x64

10

dot.dot

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dot.dot

  • Size

    12KB

  • Sample

    210408-j4xdkgfkxa

  • MD5

    40f03856876fda8b3bda880d1d5a4636

  • SHA1

    d252c054154c5524dfbf3f3238b32f711290fd36

  • SHA256

    a4358b898c41852211ee727e4b8c0d05301bf4c6a90a4780c5a6f8b1b1cf5c81

  • SHA512

    559a93f09a07a3aa13ffce038ef2d47a1b73ef6301fd2799a9b3cae99b3e7b652e65951a318cbe7bc31ae25ffeb05c644b08f306553ec9c70b4e60794e1e6687

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.scott-re.online/nnmd/

Decoy

bongwater.life

regalparkllc.com

gyanankuram.com

quehaydecenarhoy.com

israeldigitalblog.net

gatewaygaurdians.com

krphp.com

domentemenegi47.com

fjsibao.com

yetbor.com

goldenvalueable.com

finalexam-thegame.com

buyeverythingforbaby.com

phillydroneservices.com

xn--kck4cd0r.net

suns-brothers.com

xn--80aaxkmix.xn--p1acf

pjsgsc.com

7985699.com

blackmantech.fitness

Targets

    • Target

      dot.dot

    • Size

      12KB

    • MD5

      40f03856876fda8b3bda880d1d5a4636

    • SHA1

      d252c054154c5524dfbf3f3238b32f711290fd36

    • SHA256

      a4358b898c41852211ee727e4b8c0d05301bf4c6a90a4780c5a6f8b1b1cf5c81

    • SHA512

      559a93f09a07a3aa13ffce038ef2d47a1b73ef6301fd2799a9b3cae99b3e7b652e65951a318cbe7bc31ae25ffeb05c644b08f306553ec9c70b4e60794e1e6687

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks