Overview

overview

10

Static

static

RFQ - 1100...14.exe

windows7_x64

10

RFQ - 1100...14.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ - 1100195199 - 1100190914.exe

  • Size

    411KB

  • Sample

    211028-pxxfnagdaj

  • MD5

    19198e3a535c8420bbcdc28232039701

  • SHA1

    8739d67ca895bc43ddb6d3fc7d44b9d9f1d0d9f9

  • SHA256

    02f11a50849b59419b2695f563fc98576ca76f998ab73ef988aa4868cad6320b

  • SHA512

    51b6a376040ef653853e5f3009a273cd0b2ba855951d90671bf7040eb36d76f2126fae8539ab92d3bf162008411c45ed71a8a9f2b913e57f412ae00a1fa2e63c

Score
10/10
xloadernc26loaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nc26

C2

http://www.tattooof.info/nc26/

Decoy

orangecountydeathmarch.com

blissbeautyuk.com

inarticulables.xyz

go-sbs02.com

annonces-pointvirgulefrance.com

ygcdyf.com

loftischoice.com

obesidadfceron.com

jaijin.com

kreditnekarticehr.com

proactiveline.com

sousouhenansheng.com

lynxvms.com

doujiu.xyz

getur-pckg.info

tremas25.com

jiayuesport.com

divyana.website

n1zk.xyz

benaatlc.com

Targets

    • Target

      RFQ - 1100195199 - 1100190914.exe

    • Size

      411KB

    • MD5

      19198e3a535c8420bbcdc28232039701

    • SHA1

      8739d67ca895bc43ddb6d3fc7d44b9d9f1d0d9f9

    • SHA256

      02f11a50849b59419b2695f563fc98576ca76f998ab73ef988aa4868cad6320b

    • SHA512

      51b6a376040ef653853e5f3009a273cd0b2ba855951d90671bf7040eb36d76f2126fae8539ab92d3bf162008411c45ed71a8a9f2b913e57f412ae00a1fa2e63c

    Score
    10/10
    xloadernc26loaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks