Overview

overview

10

Static

static

grace $.exe

windows7_x64

10

grace $.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ETA 13092021.r00

  • Size

    464KB

  • Sample

    210903-ff8b6afbeq

  • MD5

    bdaef63ab65e0bf1a6c0a0f319870882

  • SHA1

    e6c93a6bfc5a53723ffd2fa1a9e1e2252770ebfb

  • SHA256

    930a5b287917b943e46e998d8acc1714217e41f0d04af5b55443c467882f288d

  • SHA512

    beca8a3d2239aaa509a001e84df8bbd83b434c7a5d894bf49597a8ef57d8b7e9dfebe00c9ef08b0385f777481d9c48bdb7f1bf91b8ff5f6edae497458b2c0cef

Score
10/10
xloadert75floaderpersistenceratsuricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

t75f

C2

http://www.vertexnailsblaine.com/t75f/

Decoy

onegolfsydney.com

kaizensportscoaching.com

mliacbjv.icu

rinstech.net

midas-parts.com

istmenian.com

ibrahimpike.com

herbspaces.com

gentleman4higher.com

workabusiness.com

isabusive.website

222555dy.com

lwhyzhzb.xyz

gabrielabravoillanes.com

hearthomelife.com

buildswealth.com

printitaz.com

l-mventures.com

baincot3.com

nstaq-labs.com

Targets

    • Target

      grace $.exe

    • Size

      482KB

    • MD5

      beee308b51db0c02f8eeebf7d2773a6d

    • SHA1

      4df5d609ea5b05dfcba4b9e51120a10374f7d450

    • SHA256

      7af335cb2a2646ddadf12f730585a217523da868aaeb12ba621b367c1b942693

    • SHA512

      d0665aa70d1c1116a36c296bc49ec4b474a086d9741d3439f8b0fe4c8f054ae8ab1d5610b4e4e74758c25947054a569e5b897822e2859c8595b00dc69015a63b

    Score
    10/10
    xloadert75floaderratsuricatapersistence

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks