Overview

overview

10

Static

static

PO-NOV20211115.exe

windows7_x64

10

PO-NOV20211115.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO-NOV20211115.exe

  • Size

    4.6MB

  • Sample

    211115-qxyt6afdhm

  • MD5

    a4830938aeb704c9b11b2261efdef1fc

  • SHA1

    645111b29a544379ee7c15b44ec11fef103158f3

  • SHA256

    776a5c20a347e729fd9fa02388673f3769a4a5aa7d4e44f579c581c9a928e097

  • SHA512

    9c96dd62907d292e45ceb8ccb98af6625d6e97b47ffd46662e3fcf7055a3565ac181a78c748c451a2c295659bad0fda03b19be6f0fcaf9d522003c2b8b5ad324

Score
10/10
xloaderre6pagilenetloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

re6p

C2

http://www.workwithmarym.com/re6p/

Decoy

jedidpress.com

firstimpression.global

iflycny.com

greenandskin.com

tt9577.com

sumidocpa.com

readsprouts.com

heavenlyhighcreations.com

jlhvz.com

ita-web.com

graeds.com

soundtolight.xyz

rajtantra.net

wearinganawesomewoman.store

hrappur.net

wangmiaojf.xyz

youtogo.xyz

mydeadzone.com

qenagypsum.com

kopijhony.com

Targets

    • Target

      PO-NOV20211115.exe

    • Size

      4.6MB

    • MD5

      a4830938aeb704c9b11b2261efdef1fc

    • SHA1

      645111b29a544379ee7c15b44ec11fef103158f3

    • SHA256

      776a5c20a347e729fd9fa02388673f3769a4a5aa7d4e44f579c581c9a928e097

    • SHA512

      9c96dd62907d292e45ceb8ccb98af6625d6e97b47ffd46662e3fcf7055a3565ac181a78c748c451a2c295659bad0fda03b19be6f0fcaf9d522003c2b8b5ad324

    Score
    10/10
    xloaderre6pagilenetloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks