Overview

overview

10

Static

static

Novi pored...DF.exe

windows7_x64

10

Novi pored...DF.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Novi poredak. 03526128920.PDF.exe

  • Size

    1.1MB

  • Sample

    211118-vh1seshgh5

  • MD5

    a1ce13a80829e9abbf85a3c5429896a5

  • SHA1

    67a59bcf8bf3d0f675d100dba0494497e7f56783

  • SHA256

    2495bc16feccab6c1e1a151993ca42fdb98caa81f11d5933226bf1f72bf7bf70

  • SHA512

    69eac4b2fc7d4fd1cd89113aacba11738172f88c580a2f60b8dcc77c8a367766307ab7f4595a298ea7cf5a25e2cda56449ef8fa8bb28fb2b9c6df600bec768fe

Score
10/10
xloaderpvxzloaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pvxz

C2

http://www.finetipster.com/pvxz/

Decoy

imt-token.club

abravewayocen.online

shcloudcar.com

mshoppingworld.online

ncgf08.xyz

stuinfo.xyz

wesavetheplanetofficial.com

tourbox.xyz

believeinyourselftraining.com

jsboyat.com

aaeconomy.info

9etmorea.info

purosepeti7.com

goticketly.com

pinkmemorypt.com

mylifewellnesscentre.com

iridina.online

petrestore.online

neema.xyz

novelfooditalia.com

Targets

    • Target

      Novi poredak. 03526128920.PDF.exe

    • Size

      1.1MB

    • MD5

      a1ce13a80829e9abbf85a3c5429896a5

    • SHA1

      67a59bcf8bf3d0f675d100dba0494497e7f56783

    • SHA256

      2495bc16feccab6c1e1a151993ca42fdb98caa81f11d5933226bf1f72bf7bf70

    • SHA512

      69eac4b2fc7d4fd1cd89113aacba11738172f88c580a2f60b8dcc77c8a367766307ab7f4595a298ea7cf5a25e2cda56449ef8fa8bb28fb2b9c6df600bec768fe

    Score
    10/10
    xloaderpvxzloaderpersistencerat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks