Overview

overview

10

Static

static

Original c...cs.exe

windows7_x64

10

Original c...cs.exe

windows10_x64

10

pic05678063.exe

windows7_x64

10

pic05678063.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    samples.zip

  • Size

    60KB

  • Sample

    210504-yqd3wj2b9j

  • MD5

    365b2c4ceb407b718259bcdb645071f3

  • SHA1

    b419e462e61007469718280974b59a487462b033

  • SHA256

    e8384166957076efd104eaf0443b1cda502c5d6e3bdc3f0ea4764b5adb77ee16

  • SHA512

    1d0cce1c8282892c91d80940e25ce48eef26fac07b551c1b1d58c9273b6ae8c9163fccf4a536c3a2a32aa8201fa1ccdcb9061c49d68379e561d282dd00984a08

Score
10/10
lokibotxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.innovativevan.com/i8be/

Decoy

cdymjim.icu

globalmilitaryaircraft.com

slusheestore.com

freepdfconvert.net

itadsweden.com

legenddocs.com

metholyptus.com

966cm.com

mobilitygloves-protect.com

travaze.net

go-kalisa.com

believehavefaith.com

nywebhost.com

semitsol.com

wowyuu.net

cochesb2b.com

gobesttobuy.com

senmec23.com

bmsgw.com

newazenterprise.com

Extracted

Family

lokibot

C2

http://manvim.co/fc2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Original copies of shipment docs.exe

    • Size

      92KB

    • MD5

      8b96af7d76b487cea6aa04f565b8cb9f

    • SHA1

      3e904fec3e82c9f01ccc64fbdcde35d306c6147f

    • SHA256

      49559dd2c1d9b0841f3384f3080013f8d644760d45ab7cd4fb4928bb2b91f354

    • SHA512

      786140d030095ce5c0865c21e049c8572e3ee5ec78eadebb15611a4b0f59bac995a306f14e85cd30506cd7661819d3d6a3fe43e4ac714fceb9e0c0991f171790

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Deletes itself

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      pic05678063.exe

    • Size

      92KB

    • MD5

      22b022a5547dbc1c9bcfb8e4d7eb440f

    • SHA1

      952b628cb42495baf73c468d509f249d55aa7966

    • SHA256

      c2544476ab17fd3fb816a97f08f16548a73c106cca80e1f5e185086d25a9f414

    • SHA512

      c1a8f88047f91c4ad9b0e916d17f2c32c3fa080208d1eb77cab0ce57bb8594337d324bf99275bca1c5eb89d5dcf5898ccefa9de83efbe9a3beb2369ac6355c76

    Score
    10/10
    lokibotspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

2
T1102

Impact

Tasks