Overview

overview

10

Static

static

NEW PO.exe

windows7_x64

10

NEW PO.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NEW PO.exe

  • Size

    716KB

  • Sample

    210831-b3h1wgefne

  • MD5

    327983a39260bc277f97cfc30de6f95b

  • SHA1

    12c136d5721f0cc56f6519dc607c03677e18543b

  • SHA256

    f621e1b5cd41932d5afac294e228f4f62b056ef322103c8ec06b9123a4eac2d0

  • SHA512

    9497feb48c9532123eae4f78615aad9072a5720b1b818a28b9ed1a2abaf2f1af71895b8683060166c11710ced6d8ded423b89856f7badf32ee07a0ef1dd110b4

Score
10/10
xloaderk8b5loaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

k8b5

C2

http://www.chongzhi365.com/k8b5/

Decoy

sardamedicals.com

reelectkendavis4council.com

coreconsultation.com

fajarazhary.com

mybitearner.com

brightpet.info

voicewithchoice.com

bailbondscompany.xyz

7133333333.com

delights.info

gawlvegdr.icu

sdqhpm.com

we2savvyok.com

primallifeathlete.com

gdsinglecell.com

isokineticmachines.com

smartneckrelax.com

gardenvintage.com

hiphopvolume.com

medicapoint.com

Targets

    • Target

      NEW PO.exe

    • Size

      716KB

    • MD5

      327983a39260bc277f97cfc30de6f95b

    • SHA1

      12c136d5721f0cc56f6519dc607c03677e18543b

    • SHA256

      f621e1b5cd41932d5afac294e228f4f62b056ef322103c8ec06b9123a4eac2d0

    • SHA512

      9497feb48c9532123eae4f78615aad9072a5720b1b818a28b9ed1a2abaf2f1af71895b8683060166c11710ced6d8ded423b89856f7badf32ee07a0ef1dd110b4

    Score
    10/10
    xloaderk8b5loaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks