Overview

overview

10

Static

static

1

Order-EM71...df.exe

windows7_x64

10

Order-EM71...df.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Order-EM7110509-pdf.pif

  • Size

    247KB

  • Sample

    220125-jqzpjsbeh3

  • MD5

    6965c35c75220ac5a5d4f3ab46cf4363

  • SHA1

    e4691bf844e64f3f05dda96ab50f8875979f65d6

  • SHA256

    fb45dfc26c736d67a8c409194b6f0e503a4519be42dfd1eaa7b7efb026d7c512

  • SHA512

    638c27f985560c0f9e7021cffd44a5c586f1c4a73d86c655e157d9167a6703d26961c2f6508c6a9aa850868042483b6878e97d644b9f0c7dcbd88e08076057b4

Score
10/10
xloaderuar3loaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uar3

Decoy

sgadvocats.com

mjscannabus.com

hilldaley.com

ksdollhouse.com

hotgiftboutique.com

purebloodsmeet.com

relaunched.info

cap-glove.com

productcollection.store

fulikyy.xyz

remoteaviationjobs.com

bestcleancrystal.com

virtualorganizationpartner.com

bookgocar.com

hattuafhv.quest

makonigroup.com

officecom-myaccount.com

malgorzata-lac.com

e-learningeducators.com

hygilaur.com

Targets

    • Target

      Order-EM7110509-pdf.pif

    • Size

      247KB

    • MD5

      6965c35c75220ac5a5d4f3ab46cf4363

    • SHA1

      e4691bf844e64f3f05dda96ab50f8875979f65d6

    • SHA256

      fb45dfc26c736d67a8c409194b6f0e503a4519be42dfd1eaa7b7efb026d7c512

    • SHA512

      638c27f985560c0f9e7021cffd44a5c586f1c4a73d86c655e157d9167a6703d26961c2f6508c6a9aa850868042483b6878e97d644b9f0c7dcbd88e08076057b4

    Score
    10/10
    xloaderuar3loaderratpersistence

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks