Overview

overview

10

Static

static

PO_No.2022...BW.exe

windows7_x64

10

PO_No.2022...BW.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO_No.202201EYL-01_ABW.zip

  • Size

    750KB

  • Sample

    211122-k1622sfbdj

  • MD5

    30f28f9a068331165c38d5ec81d90adc

  • SHA1

    2111ef170453214ba4de25764d74f68687c40786

  • SHA256

    0c8d5d0e078e9ad7e2abe208ab75e61c94b7c061c4dacd2b1da41ec39f3deff7

  • SHA512

    99002622eeb0617eb3e90574ead4892da17efacfadeb8b805185f9183be611c81f8568e106ca3bf40c6706ab36e74897b966d7cda9005ca80638858e0be4d61e

Score
10/10
xloader46uqloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

46uq

C2

http://www.liberia-infos.net/46uq/

Decoy

beardeddentguy.com

envirobombs.com

mintbox.pro

xiangpusun.com

pyjama-france.com

mendocinocountylive.com

innovativepropsolutions.com

hpsaddlerock.com

qrmaindonesia.com

liphelp.com

archaeaenergy.info

18446744073709551615.com

littlecreekacresri.com

elderlycareacademy.com

drshivanieyecare.com

ashibumi.com

stevenalexandergolf.com

adoratv.net

visitnewrichmond.com

fxbvanpool.com

Targets

    • Target

      PO_No.202201EYL-01_ABW.exe

    • Size

      1.0MB

    • MD5

      0025968e7da258b082f9c904e500568b

    • SHA1

      49f3dbc6f9f52322240285c8ba8ac65d6f528c87

    • SHA256

      e7f1ace8723e30320b9e8bc3dc8a079c2d82d8c58b6ef7e0810ee4f661f5f141

    • SHA512

      d9f6ebef441441c7ef749039c724e7c13bb5d4cb552b2509b7f9aa19a31c255ba6213124b4bff62d78f2867d8edc73286083bf2c454cd8f0ea55fe7d488e378b

    Score
    10/10
    xloader46uqloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Command-Line Interface

1
T1059

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks