Overview

overview

10

Static

static

Original S...33.exe

windows7_x64

10

Original S...33.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Original Scan_Doc Ref 28538013241899233.rar

  • Size

    385KB

  • Sample

    210930-l4tfsshcep

  • MD5

    848194436babe28f7f5823878ea7be34

  • SHA1

    131e50b33679245360e22ea0e0cd24458db3b6fd

  • SHA256

    eeae09d50e42da395681151c3de21e56aa732236cf7a8be2ef7cded10827eed2

  • SHA512

    2f30596a34bdbfb896953135fcc177c66c1fb1fcb8a208fe27e74d34f70716e627bd0dc85fbcc7abdf0e3f77eae9b385a7ec49579d9dfa6d0b50d35a04c9b006

Score
10/10
xloaderepnsloaderpersistenceratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

epns

C2

http://www.lnvietnam.online/epns/

Decoy

mmfaccao.com

blttsperma.quest

946abe.net

indispensablehands.com

jkformationfrance.com

phonerepaire.com

lienquan-trian.com

youkuti.com

empowermindbodystudios.com

seunicapf.com

fk-link.xyz

kunai.tech

difficultbutdoablebrand.com

ejworkspace.com

teracorp.biz

thekids.today

quintaalentejana.com

annaviruksham.com

jshengrong.com

nsmetalmakina.xyz

Targets

    • Target

      Original Scan_Doc Ref 28538013241899233.exe

    • Size

      912KB

    • MD5

      6fb08a5130cdfc1ba7da0133a916733c

    • SHA1

      4c781c859da4a76de1e8c942b4d712c37fb8ca72

    • SHA256

      18421819d1c37b2be9b6ce90781a538e28f1238486a2f3d60ef682e0fb80f529

    • SHA512

      5572042fab4d2d8d88bb42745ffc33da8af5c9b763cbd8a8a2d50442b46db6b120a79f2cc7c47bbabf10aaff4a7de97251ea3f7148e2d8c1bf0ad90917cbf4fc

    Score
    10/10
    xloaderepnsloaderpersistenceratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks