Overview

overview

10

Static

static

U prilogu ...na.exe

windows7_x64

10

U prilogu ...na.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    U prilogu je izvod racuna.zip

  • Size

    431KB

  • Sample

    211119-wkg9jaebe6

  • MD5

    d2a110259c9c997e82053c34e9bbcd4c

  • SHA1

    14d07c9613b4ee9461934b6c5c957da536143ffc

  • SHA256

    bf2effec642ef493f04dfa747ab6933f48f0426cbba354ab3aae44815fa070f9

  • SHA512

    a0d6b9342875fb1b9046c6c4d01380ba05b7603aceed5c02035d614e57eb5da4358ffc661727ab327617b6e3c7694b68e9513c3b0cd1b8c4751a0f48af1c7135

Score
10/10
xloaderpvxzloaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pvxz

C2

http://www.finetipster.com/pvxz/

Decoy

imt-token.club

abravewayocen.online

shcloudcar.com

mshoppingworld.online

ncgf08.xyz

stuinfo.xyz

wesavetheplanetofficial.com

tourbox.xyz

believeinyourselftraining.com

jsboyat.com

aaeconomy.info

9etmorea.info

purosepeti7.com

goticketly.com

pinkmemorypt.com

mylifewellnesscentre.com

iridina.online

petrestore.online

neema.xyz

novelfooditalia.com

Targets

    • Target

      U prilogu je izvod racuna.exe

    • Size

      897KB

    • MD5

      bf7656bd12573a9614800c04bc060b64

    • SHA1

      cc38679d954c885e0e5417b8945ee3eceb05746c

    • SHA256

      615e6f18d8843af256c4acca22d337f41c24795147dc7329968884a5e42caa10

    • SHA512

      bf7e3a3e1f142a4371172c0e2c2671439bf4773b824247d70ddca05364f54b86b43faac2c78e356b53e3b4ce50b13c52d253833ea518519eb68a055416666fe0

    Score
    10/10
    xloaderpvxzloaderpersistencerat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks