Overview

overview

10

Static

static

RFQ0473838383.exe

windows7_x64

10

RFQ0473838383.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ0473838383.zip

  • Size

    415KB

  • Sample

    211005-v9lgtaabf9

  • MD5

    4a2cf5e45533159e0d55ee15b9192a1e

  • SHA1

    d0ce4d3cf0fc0a4797d3fee0222512de1589f755

  • SHA256

    6219d3d351b074f3015edd7e1d9a96a7a6b969deb1c8642c1e5f5f99c73af6a8

  • SHA512

    e16dfd5cc4e5425048e1727769c0f7fba9f2f9a6de3f7a838d4fae60a1658f0eaca8362d114b04a6b01791c88b7f27784395be293de8eb9c0dc2ac8c31db8729

Score
10/10
xloaderiaopevasionloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

iaop

C2

http://www.georgeinnhatherleigh.com/iaop/

Decoy

oosakichi.com

group1beadles.com

navegadorexclusivo.digital

awefca.xyz

strakerwilliams.com

stone-img.com

radialodge.com

tequesquitengo.net

humanegardens.com

rubberyporqjp.xyz

farazkhak.com

gfsexpornvideos.com

stealth-carrier.com

hemtpi.xyz

tygcj.com

agileiance.com

ioan316.com

kitchendesigns.xyz

shannacarolphotography.com

oheytech88.net

Targets

    • Target

      RFQ0473838383.exe

    • Size

      628KB

    • MD5

      315b261c58696e588523ef02adefb688

    • SHA1

      ba05bf49eddd3525b6bdf3b6700716bac07340bf

    • SHA256

      e9a323cf1693e3ade91d24bd4cb4e9f976f905d9fbcd695dc99f6e8005b9680c

    • SHA512

      10cbc5f94941aa5da2d277177176bbdf21b118b77ebb78baf9a9f14859ce5ae7a0bb7560b2c76900723a96c839c72ee937dfe1e7fad6f65bb0b72606c8ffef52

    Score
    10/10
    xloaderiaopevasionloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Xloader Payload

      rat

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks