Overview

overview

10

Static

static

POSH servi...n..exe

windows7_x64

10

POSH servi...n..exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    POSH service quotation.r15

  • Size

    526KB

  • Sample

    210905-gwg1ksbadl

  • MD5

    4e3cd4f51a4582dd775e3974dde197c9

  • SHA1

    d3030752291b70f3b375179165838b03a0fbf22e

  • SHA256

    27ec204fc931a77bb20d520c3549e4ec09f38e01e8bffd6c7a22827b8774444b

  • SHA512

    fc41a619e703ea26785f42544329f93fa6f5d2777a81b348ae614008255c5a2109a3e185b1e0baac61fb83c484326878ff68803243b937ae3bcb5896168a8da5

Score
10/10
xloadern58iloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

n58i

C2

http://www.mack3sleeve.com/n58i/

Decoy

nl-cafe.com

votetedjaleta.com

britrobertsrealtor.com

globipark.com

citysucces.com

verisignwebsite-verified.com

riddlepc.com

rosecityclimbing.com

oleandrinextract.com

salmankonstruksi.com

needhamchannel.com

refreshx2z.com

youth66.com

pla-russia.com

halloweenmaskpro.com

exdysis.com

1gcz.com

lookgoodman.com

rlxagva.com

stlcityc.com

Targets

    • Target

      POSH service quotation..exe

    • Size

      548KB

    • MD5

      38f0e944212962eca78d2209e614aa41

    • SHA1

      7b638710352c0374f41374bde07aa2d57263e8f1

    • SHA256

      2579540806631bf43383d340bf445855f71106614b40854ca9cf33265a24f900

    • SHA512

      3a1178bcf072d554c3c758cf2a4f3a083e027069f2d3c13d55a0e27162a14822ce0ecb5c526b27e1d281c995a6d617cf0c27359f9c23a2a433b1afcf8f12ad96

    Score
    10/10
    xloadern58iloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks