Overview

overview

10

Static

static

Advised Or...py.exe

windows7_x64

10

Advised Or...py.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Advised Original Copy.exe

  • Size

    116KB

  • Sample

    210504-wrxm72s1g6

  • MD5

    c7204a082507c549863ff363ea3c087c

  • SHA1

    aab2be6081caa29574b359933e908a47418e6e22

  • SHA256

    de69ed8e2b3ba6de15b3f28b802725d41241e5b6d6717e522a2b53db860a1efb

  • SHA512

    d7a0b3aa53072297d92323f262851c1e93eeab0fd74f5628c9bba803ec1452ee584ea2907e5c0ee542cb36997e87ce2db1600e725f5847724c6678dd24b8476d

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.innovativevan.com/i8be/

Decoy

cdymjim.icu

globalmilitaryaircraft.com

slusheestore.com

freepdfconvert.net

itadsweden.com

legenddocs.com

metholyptus.com

966cm.com

mobilitygloves-protect.com

travaze.net

go-kalisa.com

believehavefaith.com

nywebhost.com

semitsol.com

wowyuu.net

cochesb2b.com

gobesttobuy.com

senmec23.com

bmsgw.com

newazenterprise.com

Targets

    • Target

      Advised Original Copy.exe

    • Size

      116KB

    • MD5

      c7204a082507c549863ff363ea3c087c

    • SHA1

      aab2be6081caa29574b359933e908a47418e6e22

    • SHA256

      de69ed8e2b3ba6de15b3f28b802725d41241e5b6d6717e522a2b53db860a1efb

    • SHA512

      d7a0b3aa53072297d92323f262851c1e93eeab0fd74f5628c9bba803ec1452ee584ea2907e5c0ee542cb36997e87ce2db1600e725f5847724c6678dd24b8476d

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Deletes itself

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks