Overview

overview

10

Static

static

PL0000865422.exe

windows7_x64

1

PL0000865422.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PL0000865422.rar

  • Size

    274KB

  • Sample

    211018-xxql4sfcgl

  • MD5

    d5709de6bd6067d63af4a1a13a66ee7a

  • SHA1

    dc8ab966c77a6df5b177fa97b917e2acf8b3ab82

  • SHA256

    721ccf61f985ae4e85d3489c4da599692a1194ea88308ad52f56986326a3a9d0

  • SHA512

    a8c5fda9167a9a508fce1ea88eeee03ffa637816783232b23e1c8c5fd46536bd55c7fbbed9cf11a24680f6ef0684102d2311447801a7dc29c2efbff246132513

Score
10/10
xloaderyjqnloaderpersistenceratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

yjqn

C2

http://www.wavekiss.com/yjqn/

Decoy

ittybittybunnies.com

flordedesierto.com

cum.care

petshomespace.com

verputzarbeit.com

yuvajanmat.com

getlie.com

finanes.xyz

thelazyrando.com

domelite.design

yukinko-takasu.com

pontosmensal.com

maurlinoconstruction.com

getelectronow.com

newmexicocarwrecklawfirm.com

gunnbucks.com

ncsy30.xyz

opsem.info

authorisewallet.com

scchanghe.com

Targets

    • Target

      PL0000865422.exe

    • Size

      703KB

    • MD5

      3058852680b613ecb1358c0f35506827

    • SHA1

      0c7bdea3c59db8b19b89a96e804f1dab630d81c7

    • SHA256

      9e433f562c623ddfcc0248f72a1c721916fc93ad56d18c4eb7ef6e60f8d7c1f2

    • SHA512

      940e968e19bf3cd2b06fe30f1b7c23686959e728f52612c23d23eeba2bd54bc7dd066d35e437406a60e5ca3c6ec349587c445f1158fbdce5777f18f3307be7ff

    Score
    10/10
    xloaderyjqnloaderpersistenceratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks