Overview

overview

10

Static

static

Original ...23.exe

windows7_x64

10

Original ...23.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Original Shipment Doc Ref 2853801324189923.rar

  • Size

    392KB

  • Sample

    211012-2lwffadagr

  • MD5

    ab76cc7ad71db508d46ccc0f3640ca09

  • SHA1

    b6b1d8ea9a0f25be1a9bc37df022586147a01375

  • SHA256

    dd045167dcef2337c3fa44feafc1d6df945e674c6b62a919297e50ae8066fab7

  • SHA512

    d18b830f6e322997095b601fa82d323f4b5910e0572640126d2cfd5f566a3910b5b431f57e4c221acacfb9a32408ae454848235bfa539aadca8e17e6d4d386ab

Score
10/10
xloaderepnsloaderpersistenceratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

epns

C2

http://www.lnvietnam.online/epns/

Decoy

mmfaccao.com

blttsperma.quest

946abe.net

indispensablehands.com

jkformationfrance.com

phonerepaire.com

lienquan-trian.com

youkuti.com

empowermindbodystudios.com

seunicapf.com

fk-link.xyz

kunai.tech

difficultbutdoablebrand.com

ejworkspace.com

teracorp.biz

thekids.today

quintaalentejana.com

annaviruksham.com

jshengrong.com

nsmetalmakina.xyz

Targets

    • Target

      Original Shipment Doc Ref 2853801324189923.exe

    • Size

      1.0MB

    • MD5

      9f752a9587909dee2a9467d7fbed1b21

    • SHA1

      cfdf4da7770a40a660efe35473f248a10f2dee96

    • SHA256

      42c76dbf2485d58e38ffccc5cdd20539e4bae8a00b90f4633f453065d20b04cd

    • SHA512

      83c6dbf4752398ca54dca1f9fc7d325ef87a0ee3580b4e9f8a33353983c5c23e70a41bb614d2beb71e74c01034492a72448c9f01fa39b03657d2546bb0b98a11

    Score
    10/10
    xloaderepnsloaderpersistenceratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks