Overview

overview

10

Static

static

1204202149...sx.exe

windows7_x64

10

1204202149...sx.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    12042021493876783,xlsx.iso

  • Size

    822KB

  • Sample

    210412-cm9w1glmwe

  • MD5

    de09c3fb28d3c6947ab804ce2b789aa2

  • SHA1

    4e08cde0d030559b28d2936ec1e2ee0e68ac0255

  • SHA256

    acee640096f7e141ca83e9640c50a69b378059dd92a786c2374d97848da7cd49

  • SHA512

    25163689641ee2e936753051ddcfd814559420eb8593288057471456564d7fd30051083233c0d44a06e4922a75b083947514f28326a67444c5c39e59383407ff

Score
10/10
modiloaderxloaderloaderpersistencerattrojan

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.werealestatephotography.com/hw6d/

Decoy

medicare101now.com

danahillathletics.com

realjobexpert.com

boulderhalle-hamburg.com

idoweddinghair.com

awdcompanies.com

thevillaflora.com

neutrasystems.com

allwest-originals.com

designtehengsg.com

thenewyorker.computer

ladybugtubs.com

silina-beauty24.com

mifangtu.com

fashionbranddeveloper.com

istanbulhookah.com

askyoyo.com

osaka-computer.net

conegenie.com

agteless.com

Targets

    • Target

      12042021493876783,xlsx.exe

    • Size

      761KB

    • MD5

      cd20bbd3e19a80fa77317cd2c42facdd

    • SHA1

      41f9e2ee597df731ccd379c7e2a393fbafdbf6c0

    • SHA256

      f2a1b48f82208d3d1bf4e613fd7c6a16f63c96ebb2c31ed502ec67cb6768b2f6

    • SHA512

      4dd51b8d788bfaf6428b3b6336272d3ac5660d52d0efcda28bc0641ddf9d65b74c4700e6922b97a63e8edc82fd4b3e4e35f374b71251f205aefbe040d6ff2995

    Score
    10/10
    xloaderloaderpersistenceratmodiloadertrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks