Overview

overview

10

Static

static

Commercial...79.exe

windows7_x64

10

Commercial...79.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Commercial Invoice #No 003169479.PDF.z

  • Size

    341KB

  • Sample

    210820-jnw6ean3sx

  • MD5

    a1b886be9dfde18a0205732e9746cf59

  • SHA1

    e9edeeccad41922e53e88571dae0b7187760275e

  • SHA256

    e88a53926856229e7e11c2c56468dfe7a2075d2424bd73cd0c1b6944253ef3be

  • SHA512

    531d10828059dd8571fa6afaeb21d29d09ed8f9af7c5eff6d9b9910eafac242ecc6ac2aa265bd94c6696c986973b1be313f1a97eec775349e2c995c0a22c74f6

Score
10/10
xloadermabsloaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

mabs

C2

http://www.heehan.com/mabs/

Decoy

joiderqm.com

hyc306.com

ouchplus.asia

abrosnm3.com

hospitalanti-infectives.com

ala-co.com

morrisonltts.net

tradingimpulse.com

invisibleimagination.com

jdjshop.com

huntedby.com

szsgfdzx.com

germfightersusaiowa.com

pahaadpost.com

obrankers.com

plaeralum.com

getfitwithmeministry.com

smartswaploan.com

gypsyjewelrydesigns.com

meetgoodwill.info

Targets

    • Target

      Commercial Invoice #No 003169479.exe

    • Size

      516KB

    • MD5

      5166f63544fa637da92b9a0aeb57543b

    • SHA1

      d958787540ed973f6a9ef3b2c2e758aa2c234182

    • SHA256

      faae7d9edda8ceb6fa049bedc894de456dcc86e1931eb896d3e78cb367fcb01d

    • SHA512

      dbc5f8d5b68f38bddbfb4dfb51628f4c979d768d4e514bd754335ebe25bb8342397422671c781c837b5378c6e0030ba160e0e44e3b0078d64a73df9a9ba3c2e7

    Score
    10/10
    xloadermabsloaderpersistencerat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks