Overview

overview

10

Static

static

payment ad...67.exe

windows7_x64

10

payment ad...67.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    payment advice_mt103645367.exe

  • Size

    156KB

  • Sample

    210415-3aga2dk2ys

  • MD5

    e4f3fd2e517743504817b7c3e2032de3

  • SHA1

    b42b6607bef7562a38a55b1d74fbb6e5d91f8fcf

  • SHA256

    08673c97c9a0e20536ce90e162e7da11dde8d4bfc4c01cabe7d3baeafaf449e6

  • SHA512

    b5cfc38957afef0641a7da98b9d48a5af2f25bc06a4d33865a0204e788902f4ad1e57efb3c34a5ae970bf3fa03eeddb084707ef4fb2b97f0c3ba908c53092822

Score
10/10
guloaderxloaderdownloaderguloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.healthpro.info/hwad/

Decoy

atracion.digital

abiraron.com

pamelaklein.com

ailingboli.com

stclandhome.com

lowcarbindulgence.com

comedytournaments.com

hervis.academy

votestevecody.com

medsdiscount.cloud

pagenstechers.com

itagamescraft.net

321duang.com

digitalmarketingjobsworld.com

spsxhstar.com

yhnbgtr.com

018fee1.com

weixiang168.com

modernlifestylejournal.com

nathapatilgroup.com

Targets

    • Target

      payment advice_mt103645367.exe

    • Size

      156KB

    • MD5

      e4f3fd2e517743504817b7c3e2032de3

    • SHA1

      b42b6607bef7562a38a55b1d74fbb6e5d91f8fcf

    • SHA256

      08673c97c9a0e20536ce90e162e7da11dde8d4bfc4c01cabe7d3baeafaf449e6

    • SHA512

      b5cfc38957afef0641a7da98b9d48a5af2f25bc06a4d33865a0204e788902f4ad1e57efb3c34a5ae970bf3fa03eeddb084707ef4fb2b97f0c3ba908c53092822

    Score
    10/10
    guloaderxloaderdownloaderguloaderloaderrat

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Guloader Payload

      guloader

    • Xloader Payload

      rat

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Deletes itself

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks