Overview

overview

10

Static

static

K.exe

windows7_x64

10

K.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Bank Slip.r00

  • Size

    463KB

  • Sample

    210906-g3jgzsaec4

  • MD5

    2ade87a4036024000b298b8103ea75ca

  • SHA1

    775f9231948417dcea3c9de924fa1a787b8dae63

  • SHA256

    aa605f7e6a23b17090604ec107d82f01ab49221b590f8b966d2906bbf0a0214f

  • SHA512

    b5a5f5383c22790d76ce02a6fd4d20c49ca43ec222cd3f7d271bd48a376c199e4ebf58eebd6a9c6dc3ff7a3b9d29994da2000b6776687f5d66dc49300676aede

Score
10/10
formbookxloadert75floaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

t75f

C2

http://www.vertexnailsblaine.com/t75f/

Decoy

onegolfsydney.com

kaizensportscoaching.com

mliacbjv.icu

rinstech.net

midas-parts.com

istmenian.com

ibrahimpike.com

herbspaces.com

gentleman4higher.com

workabusiness.com

isabusive.website

222555dy.com

lwhyzhzb.xyz

gabrielabravoillanes.com

hearthomelife.com

buildswealth.com

printitaz.com

l-mventures.com

baincot3.com

nstaq-labs.com

Targets

    • Target

      K.exe

    • Size

      723KB

    • MD5

      de5ca69a7939c4a8ce6846463990aa7b

    • SHA1

      358c3f58194ccc713f000e194024b817f6cb5320

    • SHA256

      5bc9d0c8fd02f1c138178b1291378304a653717076f9e12ba4334609dcf7b11c

    • SHA512

      827bb09597d0226e27e2740886993593d7565d1bb5d130ee46bd87c6663f1cb60ac369a3272675fad8c8d8789e3b6aaf822ef13bcdf89cf821830ce795a7f7c6

    Score
    10/10
    formbookxloadert75floaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks