Overview

overview

10

Static

static

kzNDJkUFN9Ogo4Z.exe

windows7_x64

10

kzNDJkUFN9Ogo4Z.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    kzNDJkUFN9Ogo4Z.rar

  • Size

    379KB

  • Sample

    210917-wq41gsahel

  • MD5

    aee6b9a7493b8dc8b3805b1bb50cb610

  • SHA1

    e261aeb4b081525e77f4fc0987505ab56ce8a0f7

  • SHA256

    00aa43d18f6fb3e9af58a7ad1f569a8e5e53baa270940e878469eb0ec8fe5ff1

  • SHA512

    177328e0beb9da1e0a6e8d3f8eefe81aed42551ddea4c813e0c2b64302ff57b7d578a12ae972e458d227b0e0e0c95c9e3b95c2380622b638e53e0ea9599466be

Score
10/10
xloadera0celoaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

a0ce

C2

http://www.car-surgeons.com/a0ce/

Decoy

chennaiprintshop.com

criminallawbd.com

www140800.com

southernleaflounge.com

moderngypsydesignlabs.com

bioarmourtech.com

simplyalina.com

picnicdepot.com

peshawarsc.com

innovativecustomcabinetry.com

fzju-ovrzw.xyz

63mews.com

giovannitarga.com

modernofficeaccessories.com

a2zpetcare.net

online-nb.com

brateix.info

bosc.pro

xcarethospitality.com

sedulabs.com

Targets

    • Target

      kzNDJkUFN9Ogo4Z.exe

    • Size

      458KB

    • MD5

      da89e9e692b59173b8a32858194df702

    • SHA1

      3b0a7663082c37f7653c45405dc1477d22879113

    • SHA256

      4ba1f1501a26ef0aa2b5bf2c78c8e829812bc931fcad960a768fbf1cab55e351

    • SHA512

      bc27ee3020a9f0a865bd55afe25e6b1117287e9bdc16ea12b98e4b96202a5a271a9315963e7c98f8735d5cea6d01edc73b0422fec19d1b07b9164de1550a30de

    Score
    10/10
    xloadera0celoaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks