Overview

overview

10

Static

static

SWIFT payment.exe

windows7_x64

10

SWIFT payment.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SWIFT payment.daa

  • Size

    34KB

  • Sample

    210909-djd7dafdg3

  • MD5

    efadfc4a0c3d7996361eccd6ae6334a2

  • SHA1

    e522032627242b7d32311129c7fa79969b3fdd90

  • SHA256

    5f48638bceeaf61f0ce94b675b3917813fed0bbf6f6f491aadb478a3551b536a

  • SHA512

    aa83af820a5e9dc181d0ce8d130c327b87300ee5e2ab5c01a490d94a520dd65fb8853e481bf09069e1ec48e61c79ac3068972b8f3eab52451da2695f1e278897

Score
10/10
formbookxloaderdi4cloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

di4c

C2

http://www.thatangrywhiteguy.com/di4c/

Decoy

cevaphakki.com

nocodemonitor.com

fbsfirm.com

bigtimesight.net

freetimesshop.com

yzfbook.xyz

pioner-sport.online

nhfstyle.com

sabaroakuyomungcahkerjo.com

xn--80aqfb9abc.xn--p1acf

troncentralbank.com

nirvananaturalorganics.info

saokedao.com

seedcode.group

helovestosew.com

upgrade-lb.com

othmanbay.com

versagedistribution.com

bicarayangyungan13.com

tissusbyzdenka.com

Targets

    • Target

      SWIFT payment.exe

    • Size

      96KB

    • MD5

      03f2693b86d9cd7564903e15f5e8979f

    • SHA1

      5e4bf20543123c2d6e66b901e9a267a37a50d5a9

    • SHA256

      f1f6f1952ea49d853b435f20f21dfa86e4a190547aabcddd80d3fad59a8664aa

    • SHA512

      3bcd317c78eb101dc9e0d139b773ee6c976b16dc23b6af553bd0eeac98c0d8c503e71cdc6cda23c2f136093487f9bbfe94dab80de7a05bcb24e8dac89ecb16d8

    Score
    10/10
    formbookxloaderdi4cloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks