Overview

overview

10

Static

static

PO.exe

windows7_x64

10

PO.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    07033cb09a7c7cecf465003cf625997743f5263f8285d3204c6c3eb0825a8b2c

  • Size

    466KB

  • Sample

    220131-z3j3macacp

  • MD5

    8bf61fcddf180c45869751eca4bb0938

  • SHA1

    e179bc30bee2f8a80ee1827df5c29961189703c2

  • SHA256

    07033cb09a7c7cecf465003cf625997743f5263f8285d3204c6c3eb0825a8b2c

  • SHA512

    91ce53efb6690cd5774847e505f0bf0242edad46c6263ed8dbfc8c0a24d0c23aa587d1203519e66471e3f56882e928dd79e1aa055031c57821e41d5fd09b239d

Score
10/10
xloadern58iloaderpersistenceratsuricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

n58i

Decoy

nl-cafe.com

votetedjaleta.com

britrobertsrealtor.com

globipark.com

citysucces.com

verisignwebsite-verified.com

riddlepc.com

rosecityclimbing.com

oleandrinextract.com

salmankonstruksi.com

needhamchannel.com

refreshx2z.com

youth66.com

pla-russia.com

halloweenmaskpro.com

exdysis.com

1gcz.com

lookgoodman.com

rlxagva.com

stlcityc.com

Targets

    • Target

      PO.exe

    • Size

      484KB

    • MD5

      0650530c0192eead0466f36564026598

    • SHA1

      a731bbf3310af1d83119131c0e182e4302062eef

    • SHA256

      d62663072daa5bde186f1d0c406225099d7ae372d00969a57016206c099ee1b7

    • SHA512

      b35bf8737584a618af06804f7ea4b2fcfaa56d0cb2fa6c22a6584a243a65f544598e24ff317749bac39148f79439e7139d0847eaf77d1589d3764e073fd66d97

    Score
    10/10
    xloadern58iloaderratsuricatapersistence

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Sets service image path in registry

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks