Overview

overview

10

Static

static

7824,pdf.exe

windows7_x64

10

7824,pdf.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7824,pdf.exe

  • Size

    827KB

  • Sample

    210429-6r8a3bhxq2

  • MD5

    b4ad29571c52c8c83925161e36f076f5

  • SHA1

    379f84acd12f61dbfdbc560fe86206c7366893a9

  • SHA256

    5acfc6aa1ccbdc619df590b1b8092e0c1687558b7f01a7015a20d2a146e60a7f

  • SHA512

    5b4fa3fa489fb014af8320cfb391c4e84b08ab3ebafeacafc031a3d316a863034d7eddafb6d2215dcc3c0f0edead0a7c32ab9285345b1ff03acebd2afae9711f

Score
10/10
modiloaderxloaderloaderpersistencerattrojan

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.werealestatephotography.com/hw6d/

Decoy

medicare101now.com

danahillathletics.com

realjobexpert.com

boulderhalle-hamburg.com

idoweddinghair.com

awdcompanies.com

thevillaflora.com

neutrasystems.com

allwest-originals.com

designtehengsg.com

thenewyorker.computer

ladybugtubs.com

silina-beauty24.com

mifangtu.com

fashionbranddeveloper.com

istanbulhookah.com

askyoyo.com

osaka-computer.net

conegenie.com

agteless.com

Targets

    • Target

      7824,pdf.exe

    • Size

      827KB

    • MD5

      b4ad29571c52c8c83925161e36f076f5

    • SHA1

      379f84acd12f61dbfdbc560fe86206c7366893a9

    • SHA256

      5acfc6aa1ccbdc619df590b1b8092e0c1687558b7f01a7015a20d2a146e60a7f

    • SHA512

      5b4fa3fa489fb014af8320cfb391c4e84b08ab3ebafeacafc031a3d316a863034d7eddafb6d2215dcc3c0f0edead0a7c32ab9285345b1ff03acebd2afae9711f

    Score
    10/10
    modiloaderxloaderloaderpersistencerattrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Blocklisted process makes network request

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks