Overview

overview

10

Static

static

Payment Slip.exe

windows7_x64

10

Payment Slip.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Payment Slip.exe

  • Size

    831KB

  • Sample

    210927-qgr2nshafm

  • MD5

    3d0d9c87ea732caf417afa0b8af62267

  • SHA1

    dfb1e57a9cf498310cb7287f4b5792cbcd8b3974

  • SHA256

    95b6ba2be30399f87d20e021bee29f0eb46773b67407f3ed9987d22610d5249d

  • SHA512

    e7db51cd7baf84cf65ebead15c3e56ca9e381866a4edc7e945affe4f64f53bef08519037a5e4fc2ef8f8034e91b240b5d3511a2cdec08e308e8e473a7430a83b

Score
10/10
xloaderqfffloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

qfff

C2

http://www.yuumgo.academy/qfff/

Decoy

lakechelanwedding.com

jengly.com

alluresme.com

axswallet.com

meetmedubai.com

kortzfamily.com

whishfullittles.com

mts-consultant.com

amhoses.com

hdaz2.xyz

lkgsbx.com

b0ay.com

hlthits.com

dicsordgift.com

bearaconnect.com

strategicpropertyventures.com

158393097102.xyz

officesetupofficesetup.com

industrynewz.com

uperionorthamerica.com

Targets

    • Target

      Payment Slip.exe

    • Size

      831KB

    • MD5

      3d0d9c87ea732caf417afa0b8af62267

    • SHA1

      dfb1e57a9cf498310cb7287f4b5792cbcd8b3974

    • SHA256

      95b6ba2be30399f87d20e021bee29f0eb46773b67407f3ed9987d22610d5249d

    • SHA512

      e7db51cd7baf84cf65ebead15c3e56ca9e381866a4edc7e945affe4f64f53bef08519037a5e4fc2ef8f8034e91b240b5d3511a2cdec08e308e8e473a7430a83b

    Score
    10/10
    xloaderqfffloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks