Overview

overview

10

Static

static

Shipping d...ce.exe

windows7_x64

10

Shipping d...ce.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Shipping documentsProforma invoice.exe

  • Size

    729KB

  • Sample

    210823-37v3qt63ja

  • MD5

    10bef7b81cbd13b3dc58d813e7fc06c1

  • SHA1

    97c623c38ec83ad146f80f4da6fcf083c95dd50b

  • SHA256

    a7c09392aa26962b20d2fc58398b6425ebd062187b2923fbbb7b1866523f1e26

  • SHA512

    3a3bf8ed8b2604ac622f244d24c556a6f066182ba284c7e5488ff18b513f807cfcab7c23fe34e59474c1bb52b9fcf187922089ec95f868008d983ad2bf1392a5

Score
10/10
modiloaderxloaderb6culoaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

b6cu

C2

http://www.xn--marketingrevolucin-61b.com/b6cu/

Decoy

votreconseilfinancier.com

wholesaleplay.com

komfy.store

hsyunfan.com

tournamenttips.com

yourbusine.xyz

wrg-referrals.com

harmless-oily.com

whizdomtowealth.com

xusmods.com

cleanerstoday.com

finopscert.com

paerexpress.com

kankb.com

res-o.info

balonpantolon.com

freedownloadbiz.info

jeffegriffin.com

gobahis119.com

ourcalvinsarm.com

Targets

    • Target

      Shipping documentsProforma invoice.exe

    • Size

      729KB

    • MD5

      10bef7b81cbd13b3dc58d813e7fc06c1

    • SHA1

      97c623c38ec83ad146f80f4da6fcf083c95dd50b

    • SHA256

      a7c09392aa26962b20d2fc58398b6425ebd062187b2923fbbb7b1866523f1e26

    • SHA512

      3a3bf8ed8b2604ac622f244d24c556a6f066182ba284c7e5488ff18b513f807cfcab7c23fe34e59474c1bb52b9fcf187922089ec95f868008d983ad2bf1392a5

    Score
    10/10
    persistencespywarestealermodiloaderxloaderb6culoaderratsuricatatrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modifies system executable filetype association

      persistence

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks