Overview

overview

10

Static

static

TT FORMAT COPY.exe

windows7_x64

10

TT FORMAT COPY.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TT FORMAT COPY.exe

  • Size

    665KB

  • Sample

    210907-qfz1wsfhck

  • MD5

    a38729e20e3923799d71f59f1f06626a

  • SHA1

    4584ce72f20718091af38760eba105e1b01b1f8d

  • SHA256

    caee115a3bb2028fd81681b1fef997f87893c603dd42ca0932896029424ed1e7

  • SHA512

    0b31792ee2580053f111ffb066fb7a9c88c9c03e412bef1390bb302d1d4174f45e45e2e921679c19fe77d60f49948e99d695cb2cca393f6deebbf041de19fa2f

Score
10/10
xloadern58iloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

n58i

C2

http://www.mack3sleeve.com/n58i/

Decoy

nl-cafe.com

votetedjaleta.com

britrobertsrealtor.com

globipark.com

citysucces.com

verisignwebsite-verified.com

riddlepc.com

rosecityclimbing.com

oleandrinextract.com

salmankonstruksi.com

needhamchannel.com

refreshx2z.com

youth66.com

pla-russia.com

halloweenmaskpro.com

exdysis.com

1gcz.com

lookgoodman.com

rlxagva.com

stlcityc.com

Targets

    • Target

      TT FORMAT COPY.exe

    • Size

      665KB

    • MD5

      a38729e20e3923799d71f59f1f06626a

    • SHA1

      4584ce72f20718091af38760eba105e1b01b1f8d

    • SHA256

      caee115a3bb2028fd81681b1fef997f87893c603dd42ca0932896029424ed1e7

    • SHA512

      0b31792ee2580053f111ffb066fb7a9c88c9c03e412bef1390bb302d1d4174f45e45e2e921679c19fe77d60f49948e99d695cb2cca393f6deebbf041de19fa2f

    Score
    10/10
    xloadern58iloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks