Overview

overview

10

Static

static

Pzszsebwqn...nn.exe

windows10_x64

10

Resubmissions

01-02-2022 13:08

220201-qdmyjsdde8 10

01-02-2022 12:57

220201-p62fzabab6 10

01-02-2022 07:00

220201-hsnvdsbab7 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Pzszsebwqndrzimfyunhokbpqivlqwshnn.exe

  • Size

    920KB

  • Sample

    220201-qdmyjsdde8

  • MD5

    65523cf4b441d2dbe144566c4bea5849

  • SHA1

    119d9e00c6b08f5e93f477a9429c263390e4a4c2

  • SHA256

    09effc5108b5ca6e852a9712180ad493ad2e4aa5e3693056953583fbce18cf92

  • SHA512

    348e742fae24048357e04e10872228438c1a327b7292944beefb0b885b7f9995d01b0aec2e0a5316cf5ac6bcc2f8afd7868076d477bf6b09791d3127b57a089b

Score
10/10
bitratformbookxloaderpvxzbootkitgoogleloaderpersistencephishingratspywarestealertrojanupx

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pvxz

Decoy

imt-token.club

abravewayocen.online

shcloudcar.com

mshoppingworld.online

ncgf08.xyz

stuinfo.xyz

wesavetheplanetofficial.com

tourbox.xyz

believeinyourselftraining.com

jsboyat.com

aaeconomy.info

9etmorea.info

purosepeti7.com

goticketly.com

pinkmemorypt.com

mylifewellnesscentre.com

iridina.online

petrestore.online

neema.xyz

novelfooditalia.com

Extracted

Family

bitrat

Version

1.38

C2

homeplace.kozow.com:4449

Attributes
  • communication_password

    f51dc802382ce2b548bf73ff0726a31d

  • tor_process

    tor

Targets

    • Target

      Pzszsebwqndrzimfyunhokbpqivlqwshnn.exe

    • Size

      920KB

    • MD5

      65523cf4b441d2dbe144566c4bea5849

    • SHA1

      119d9e00c6b08f5e93f477a9429c263390e4a4c2

    • SHA256

      09effc5108b5ca6e852a9712180ad493ad2e4aa5e3693056953583fbce18cf92

    • SHA512

      348e742fae24048357e04e10872228438c1a327b7292944beefb0b885b7f9995d01b0aec2e0a5316cf5ac6bcc2f8afd7868076d477bf6b09791d3127b57a089b

    Score
    10/10
    bitratformbookxloaderpvxzbootkitgoogleloaderpersistencephishingratspywarestealertrojanupx

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Detected potential entity reuse from brand google.

      phishinggoogle

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks