Overview

overview

10

Static

static

1.exe

windows7_x64

10

1.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1.exe

  • Size

    897KB

  • Sample

    210420-5ebycpmrc2

  • MD5

    536aff0decd8fed875614884ee60688d

  • SHA1

    3bcf60af93eea9ea3fc4305ffcf8b9af3f8ba46f

  • SHA256

    f59a0b8ff551c6e41c2ba30190d930eb971691d455eaff001a1d0c8fd3995e06

  • SHA512

    a160fae81ee3fe41111db4d449f7d0289da2b550dc054d3b841a0a8fef98ba17344f7f8bb77027cb183152b84e236458b4db0daab1e653a38371b938f940c63e

Score
10/10
xloaderevasionloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.wahaclean.com/8ufh/

Decoy

obluebaylivemall.com

theherbaldream.com

curtex.info

z6r44wtjyn68d.net

theprincipleofcare.com

acrocollective.net

diewuhuayang.com

vz550.com

emregueray.com

quanangiadinhaxi.com

lnstagramhelpbase.com

citiphoneonline.com

negotiationsdigital.com

cryptosystems.xyz

tzwaihui.com

bahamasjet.com

nyatiexuberancepune.com

lineahomo.com

hortonpecancompany.com

theinnvestorsgroup.com

Targets

    • Target

      1.exe

    • Size

      897KB

    • MD5

      536aff0decd8fed875614884ee60688d

    • SHA1

      3bcf60af93eea9ea3fc4305ffcf8b9af3f8ba46f

    • SHA256

      f59a0b8ff551c6e41c2ba30190d930eb971691d455eaff001a1d0c8fd3995e06

    • SHA512

      a160fae81ee3fe41111db4d449f7d0289da2b550dc054d3b841a0a8fef98ba17344f7f8bb77027cb183152b84e236458b4db0daab1e653a38371b938f940c63e

    Score
    10/10
    xloaderevasionloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Xloader Payload

      rat

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks