Overview

overview

10

Static

static

1

PO6312.exe

windows7_x64

10

PO6312.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    746c34e640e375df7f39ff7ffb87f87d612e54f535800aaef17a454c12d7c0cd

  • Size

    1.2MB

  • Sample

    220130-amgj5abhej

  • MD5

    a54009d23beb4eb2309f92c5e30c4369

  • SHA1

    09a21bd10b8b508810162cc6c72e1b765cb471e7

  • SHA256

    746c34e640e375df7f39ff7ffb87f87d612e54f535800aaef17a454c12d7c0cd

  • SHA512

    b4e7240b47aee4845c2fc739762afaac3c19cd68c7008dc0891c6344965f7885ce78a8375fd6954bf3a782b92093af0dcd279b85a860ec773700b5d6d5da5dfc

Score
10/10
xloaderhpinloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

hpin

Decoy

lalashealingplace.com

melaniealdridgephotography.com

ss3369.com

career-bliss.com

handelbabu.quest

larryhover.com

xyz-vr.xyz

telvicedemo.net

aaakk95.com

follow-er.com

thepiwarrior.com

dgltqd.com

dailyswee.com

tonymoney.net

earthsidesoulalchemist.com

meditatieleeuwarden.online

blancorealtor.com

xn--erhardlohmller-psb.gmbh

coachtobetter.info

singpost.agency

Targets

    • Target

      PO6312.EXE

    • Size

      286KB

    • MD5

      6dca73a65b62eb5f40cc45ec4085f695

    • SHA1

      5a478b2dd4ba1bcfaeec8cde0d5ff7f6e8bd9798

    • SHA256

      9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f

    • SHA512

      9a23ab54b531436b52f870ad80241eefa843f66f18279dfdf1f263a4008b98aba2f30f37d55e497d4b2de9259217687feef5f59c0d978d969f4b7509d8d44800

    Score
    10/10
    xloaderhpinloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks