Advised Original Copy.exe

General
Target

Advised Original Copy.exe

Size

116KB

Sample

210504-wrxm72s1g6

Score
10 /10
MD5

c7204a082507c549863ff363ea3c087c

SHA1

aab2be6081caa29574b359933e908a47418e6e22

SHA256

de69ed8e2b3ba6de15b3f28b802725d41241e5b6d6717e522a2b53db860a1efb

SHA512

d7a0b3aa53072297d92323f262851c1e93eeab0fd74f5628c9bba803ec1452ee584ea2907e5c0ee542cb36997e87ce2db1600e725f5847724c6678dd24b8476d

Malware Config

Extracted

Family xloader
Version 2.3
C2

http://www.innovativevan.com/i8be/

Decoy

cdymjim.icu

globalmilitaryaircraft.com

slusheestore.com

freepdfconvert.net

itadsweden.com

legenddocs.com

metholyptus.com

966cm.com

mobilitygloves-protect.com

travaze.net

go-kalisa.com

believehavefaith.com

nywebhost.com

semitsol.com

wowyuu.net

cochesb2b.com

gobesttobuy.com

senmec23.com

bmsgw.com

newazenterprise.com

onlinefitnessmechanic.com

makeournationsafeagain.com

climat2020.com

hamsikoysutlaci.net

networkslice.com

wanganwanderer1.com

nationwidesignage.com

lucianmediazone.com

geekyweel.com

hzky888.com

mcfarlaneweb.com

c-w3.com

covidstracking.com

flowingwealth.com

sprinklesglobal.com

secret-mall.com

extraclasss.com

stasiapl.com

1905vintage.com

8649gb.com

brisketbeard.com

optionsafecode.com

foms4om.com

differentquartz.info

freshly.pizza

levettfyneralhome.com

leteeshirtboutique.com

creativesdanfe.com

t-oils.com

seoforamz.com

Targets
Target

Advised Original Copy.exe

MD5

c7204a082507c549863ff363ea3c087c

Filesize

116KB

Score
10 /10
SHA1

aab2be6081caa29574b359933e908a47418e6e22

SHA256

de69ed8e2b3ba6de15b3f28b802725d41241e5b6d6717e522a2b53db860a1efb

SHA512

d7a0b3aa53072297d92323f262851c1e93eeab0fd74f5628c9bba803ec1452ee584ea2907e5c0ee542cb36997e87ce2db1600e725f5847724c6678dd24b8476d

Tags

Signatures

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • Xloader Payload

    Tags

  • Checks QEMU agent file

    Description

    Checks presence of QEMU agent, possibly to detect virtualization.

    TTPs

    Query Registry System Information Discovery
  • Deletes itself

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral1

                    10/10

                    behavioral2

                    10/10