Overview

overview

10

Static

static

t1.msi

windows7_x64

10

t1.msi

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    t1.msi

  • Size

    124KB

  • Sample

    211019-r7wyzsghfm

  • MD5

    5262da4295e8a62d58d17991b35bf860

  • SHA1

    3fba37528f6b06d2c89c7d86ce6352df438f1855

  • SHA256

    058ee0434baf472713da384ee3ba273f64995b9c7f83b7e62a8b3285b334b2cf

  • SHA512

    8a82d10997e8b64ab12688e6cb909e405644bfcf2ed0e47df9c16009bf1ae415c17bc5a0cc27717d34f6f5484ca27fe026893b4637ea01cb1209dd0427574c18

Score
10/10
guloaderxloaderfs3gdownloaderloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

fs3g

C2

http://www.indigenousjobsearch.com/fs3g/

Decoy

juliorodriguez.info

koglifestylegym.com

matrixrecruits.com

tes5ci.com

firlefanz.digital

funkyladybug.com

susneh.com

polistanok.space

theindiahub.com

bigmargintennis.com

ti-talk.com

onejmj.com

ff4ca2623.xyz

mtzion-tn.com

yidiaodiaosu.com

dadsgaragedoor.com

rigs-4u.com

jiaoyimaojiyu2.xyz

evcay.com

appmxt.com

Targets

    • Target

      t1.msi

    • Size

      124KB

    • MD5

      5262da4295e8a62d58d17991b35bf860

    • SHA1

      3fba37528f6b06d2c89c7d86ce6352df438f1855

    • SHA256

      058ee0434baf472713da384ee3ba273f64995b9c7f83b7e62a8b3285b334b2cf

    • SHA512

      8a82d10997e8b64ab12688e6cb909e405644bfcf2ed0e47df9c16009bf1ae415c17bc5a0cc27717d34f6f5484ca27fe026893b4637ea01cb1209dd0427574c18

    Score
    10/10
    guloaderdownloaderxloaderfs3gloaderratsuricata

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Executes dropped EXE

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks