Overview

overview

10

Static

static

Swift Copy.exe

windows7_x64

10

Swift Copy.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e5ee944909bd91bfeb6b21eaf3d8f85e702b9eb99e7f1c6c6b780ae12bb61eb4

  • Size

    487KB

  • Sample

    220131-s17btahfcj

  • MD5

    a46bc7a8867d6c8a0807190f5724f1d5

  • SHA1

    3106f6f963848f9b81b0527fd921776720af5d83

  • SHA256

    e5ee944909bd91bfeb6b21eaf3d8f85e702b9eb99e7f1c6c6b780ae12bb61eb4

  • SHA512

    45b6480b5009eaadd85b1a805ae86f2a95b3a7b755b6bb12681b461b8cf8ad755fcc9fcaa2422cdd84c17dcc7e9e064d1c1c154574c9552183ff151bb1c06ce3

Score
10/10
xloadern58iloaderpersistenceratsuricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

n58i

Decoy

electrifyz.com

silkpetalz.net

cognitivenavigation.com

poophaikus.com

orchidiris.com

arteregalos.com

dailybookmarks.info

gogoanume.pro

hushmailgmx.com

trjisa.com

notontrend.com

2020polltax.com

orderhappy.club

panggabean.net

govsathi.com

hrsbxg.com

xvideotokyo.online

lotteplaze.com

lovecleanliveclean.com

swaphomeloans.net

Targets

    • Target

      Swift Copy.exe

    • Size

      696KB

    • MD5

      c3ad076b201b02706effd72bbdfe71c4

    • SHA1

      05a3a508addfd530113fb6f78122164476d3f651

    • SHA256

      61de0ac2005f1345bfb72a35e04d02e41d981e6ffa23944d3b1cae93be22856b

    • SHA512

      fe0441c5043fbc6620ad6c37a926df966ecb0a3797402a79ba0cd6e44743419b418d18890ab36dae09c27deefda74992845ebacb09c7d2cd15af3fd4dc659d1b

    Score
    10/10
    xloadern58iloaderratsuricatapersistence

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Sets service image path in registry

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks