Overview

overview

10

Static

static

tmp/femp.exe

windows7_x64

10

tmp/femp.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp/femp.exe

  • Size

    344KB

  • Sample

    211214-n9zwwaffe7

  • MD5

    c62a556b445ff8cf1b9e0b038a13137e

  • SHA1

    7fefc1609a4e66d234abb47a1536857317bdb31b

  • SHA256

    4b3af4ebfe94ecb1730c15620080935f619b6592fad681921968f986c030c0c3

  • SHA512

    c372806da30c98b047d46f8e70cce90f93829fe484ff5eb49354bd132a846ff126ea4c7024e5fae8de60c96117d940ea4fe2d6c783c67987354c7eee99c4638e

Score
10/10
xloaderef6cloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ef6c

C2

http://www.fis.photos/ef6c/

Decoy

gicaredocs.com

govusergroup.com

conversationspit.com

brondairy.com

rjtherealest.com

xn--9m1bq8wgkag3rjvb.com

mylori.net

softandcute.store

ahljsm.com

shacksolid.com

weekendmusecollection.com

gaminghallarna.net

pgonline111.online

44mpt.xyz

ambrandt.com

eddytattoo.com

blendeqes.com

upinmyfeels.com

lacucinadesign.com

docomoau.xyz

Targets

    • Target

      tmp/femp.exe

    • Size

      344KB

    • MD5

      c62a556b445ff8cf1b9e0b038a13137e

    • SHA1

      7fefc1609a4e66d234abb47a1536857317bdb31b

    • SHA256

      4b3af4ebfe94ecb1730c15620080935f619b6592fad681921968f986c030c0c3

    • SHA512

      c372806da30c98b047d46f8e70cce90f93829fe484ff5eb49354bd132a846ff126ea4c7024e5fae8de60c96117d940ea4fe2d6c783c67987354c7eee99c4638e

    Score
    10/10
    xloaderef6cloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks