Overview

overview

10

Static

static

SHIPPING DOCUMENT.exe

windows7_x64

10

SHIPPING DOCUMENT.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SHIPPING DOCUMENT.exe

  • Size

    622KB

  • Sample

    210819-nxze2ecda6

  • MD5

    482fa062ccc6bddcf62b70186194cb6c

  • SHA1

    9c0f6c938ab0cf047817d1d0838b303d5587048e

  • SHA256

    02ad1e8b1187eba2576ef84f878c7c9b579fdad150ec5f4f060c814d22ab0550

  • SHA512

    95b7dd6ad34243825a825af92408fdc4ede68b4d9be3e9f42341bd0d48b3dd782e9bce984bb9a1f356de0b28966a4c688bb967b84307802b0e5c6382888266ab

Score
10/10
modiloaderxloadere2waloaderpersistencerattrojan

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

e2wa

C2

http://www.waterandthreads.com/e2wa/

Decoy

mursdiary.com

bivibe.com

margueritebriu.com

xn--schttorf-openair-lzb.com

lyatransport.com

exclusivemerchantsolutions.com

cafedeollamendoza.com

myfashionest.com

bonap56.com

dubaikey.club

redwoodva.com

suffolkpolicepba.com

zonedblack.com

alekhyasarees.com

moonrockscanada.com

info-kaiteki.com

covidtenantrelief.com

jiazhengayi.com

cryptotrustlab.com

jeanpaulramirez.money

Targets

    • Target

      SHIPPING DOCUMENT.exe

    • Size

      622KB

    • MD5

      482fa062ccc6bddcf62b70186194cb6c

    • SHA1

      9c0f6c938ab0cf047817d1d0838b303d5587048e

    • SHA256

      02ad1e8b1187eba2576ef84f878c7c9b579fdad150ec5f4f060c814d22ab0550

    • SHA512

      95b7dd6ad34243825a825af92408fdc4ede68b4d9be3e9f42341bd0d48b3dd782e9bce984bb9a1f356de0b28966a4c688bb967b84307802b0e5c6382888266ab

    Score
    10/10
    modiloaderxloadere2waloaderpersistencerattrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks