Overview

overview

10

Static

static

48d5d5bc83...1).exe

windows7_x64

10

48d5d5bc83...1).exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1)

  • Size

    314KB

  • Sample

    210420-jy2zqf5zvs

  • MD5

    4a391bca07af23a8e735b4e4bba0a195

  • SHA1

    8bd5c99ed285cb37429a7bf4a6e14012e4c04e1d

  • SHA256

    48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908

  • SHA512

    c46272ebd87e47186b682e4d64dfbde69aa60b7c8b4981af3accc89a943fd1d904b53bab8b87badfeace3b62e324970d85187543a5145ff8a57c982470dbdfba

Score
10/10
xloaderloaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.numbri.com/sb9r/

Decoy

greatdomainsales.com

otinca.com

paradiseinvestings.com

mygujaratjob.xyz

femmeacademy.com

thecrystaloutlets.com

tcv-group.com

beverlyjeanco.com

rxdrugrehab.com

jadrankaandco.com

latinoescort.com

boersenpodcast.com

strategicinsightltd.com

kuppers.info

stokje.com

monateki.com

merchantofsquash.com

herchanneltv.com

kloud-digital.com

yuemion.com

Targets

    • Target

      48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908 (1)

    • Size

      314KB

    • MD5

      4a391bca07af23a8e735b4e4bba0a195

    • SHA1

      8bd5c99ed285cb37429a7bf4a6e14012e4c04e1d

    • SHA256

      48d5d5bc835c9bfa24c2f7fb0e3149190639d1d53eb99fac9b6a97df0f6d2908

    • SHA512

      c46272ebd87e47186b682e4d64dfbde69aa60b7c8b4981af3accc89a943fd1d904b53bab8b87badfeace3b62e324970d85187543a5145ff8a57c982470dbdfba

    Score
    10/10
    xloaderloaderpersistencerat

    • Modifies WinLogon for persistence

      persistence

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Nirsoft

    • Xloader Payload

      rat

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks