Overview

overview

10

Static

static

Swift Copy.exe

windows7_x64

10

Swift Copy.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Swift Copy.exe

  • Size

    973KB

  • Sample

    211021-22t8babggk

  • MD5

    52949c01157ca2caa06fb7f5004b4c34

  • SHA1

    1662ff2d63f195b1f467c165df711f55985aa850

  • SHA256

    bdf2c781518f78b8b1bbd888a03b0a1ae32d598e2abe57e21dbcdefd5dacdaa0

  • SHA512

    73a78d4dfbb936b8b3524b45d3789cecd792a4a20c6c93215b82c5b8c99a3c092d94b3b8c685fc090208bee98c68606c1879eb854e018b6607d95ff53b901fc0

Score
10/10
xloaderbsz6loaderpersistenceratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

bsz6

C2

http://www.hosotructiep.online/bsz6/

Decoy

rn-interior.com

padimo40.com

original-photos.com

gigacode.club

sacarwrap.com

daphne1.com

studyabroadway.com

caddonline.com

medicareadvplans.net

keyuhair.com

ethenea-paris.com

hungryhollow.farm

hirdavatgezegeni.com

biotransmitter.com

vrikshamfinance.com

holzhafen-bodensee.com

houseofbegums.com

dream-mart.tech

csitexas.biz

kitchenalamode.xyz

Targets

    • Target

      Swift Copy.exe

    • Size

      973KB

    • MD5

      52949c01157ca2caa06fb7f5004b4c34

    • SHA1

      1662ff2d63f195b1f467c165df711f55985aa850

    • SHA256

      bdf2c781518f78b8b1bbd888a03b0a1ae32d598e2abe57e21dbcdefd5dacdaa0

    • SHA512

      73a78d4dfbb936b8b3524b45d3789cecd792a4a20c6c93215b82c5b8c99a3c092d94b3b8c685fc090208bee98c68606c1879eb854e018b6607d95ff53b901fc0

    Score
    10/10
    xloaderbsz6loaderpersistenceratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks