Overview

overview

10

Static

static

Bank swift...DF.exe

windows7_x64

10

Bank swift...DF.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Bank swift copy.PDF.zip

  • Size

    330KB

  • Sample

    220127-necg4abfak

  • MD5

    787d97479b35c20a2e809d5f0970f640

  • SHA1

    170f0e95c1bab4fd427eaca7b618a813d121fb03

  • SHA256

    768d8411966bf85edb29b2cfad164eb89e82b929405bb061cd19ffd71b6304f8

  • SHA512

    f8267b022f2da949d42917f70139824a52cbb4f464fab1f45684817037775ab4c68d5a5b3bfb15cb4461cfe5eef23154e328b3950d924b34ac944b198fe4c702

Score
10/10
xloaderpvxzloaderpersistenceratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pvxz

Decoy

imt-token.club

abravewayocen.online

shcloudcar.com

mshoppingworld.online

ncgf08.xyz

stuinfo.xyz

wesavetheplanetofficial.com

tourbox.xyz

believeinyourselftraining.com

jsboyat.com

aaeconomy.info

9etmorea.info

purosepeti7.com

goticketly.com

pinkmemorypt.com

mylifewellnesscentre.com

iridina.online

petrestore.online

neema.xyz

novelfooditalia.com

Targets

    • Target

      Bank swift copy.PDF.exe

    • Size

      664KB

    • MD5

      124d17d95a6978dbd68fd8362b9f8cde

    • SHA1

      be4da815674e53a90e88981f91e053829cb4cfca

    • SHA256

      d8b24be5c1f3c5844edf740bc560b65c11afad509e52687c9dd543ed16b40a7b

    • SHA512

      4970404d87862f097e05f85cbaf12aa80584548b89c2bcd3b236ea530728923dbaced7fc859e034a4bd9ffa82f93afda2b650cc41b9f46601f6406f08e867eb3

    Score
    10/10
    xloaderpvxzloaderpersistenceratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks