Overview

overview

10

Static

static

1

48dd5584cf...fd.exe

windows7_x64

10

Resubmissions

19-02-2022 05:11

220219-fvblqshbep 10

17-02-2022 18:40

220217-xbmckadbe5 10

17-02-2022 18:30

220217-w5he2aebek 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    48dd5584cf3d6c0930f09e335d98d4fd

  • Size

    294KB

  • Sample

    220217-xbmckadbe5

  • MD5

    48dd5584cf3d6c0930f09e335d98d4fd

  • SHA1

    a072e576904888726dda9ad1c61673492cd72eae

  • SHA256

    22d5552fed81b606509972d3c12830cd2cfcd77ec68a8791706099e97b2c1bad

  • SHA512

    95492bb4e2a9f51f5ff547d2b7e534787cac49d7004a146bdf3df01d7f22f478a7f89f19f1fb411487d8b58b153223e093db44fc6441696091302459d6c3b9e9

Score
10/10
formbooknjratxloaderslavest9hhbootkitevasionloaderpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

t9hh

Decoy

mine.vin

terpenebase.com

potomarket.com

lmaproshop.com

multitecsd.com

vacationrentalsct.com

france-gravure.com

schoolq8.com

caravan777.com

mimtgexpert.com

animesomurie.com

buscalogps.online

legionstudio.net

pdam.top

galapaleso.quest

gulfweeks.com

sedonasuperfit.online

arab-xt-pro.com

fifeapartment.com

pitchgiving.com

Extracted

Family

njrat

Version

0.7d

Botnet

Slaves

C2

hom135.ddns.net:100

Mutex

d4903fdacbb79e6cd1109a741a2bc821

Attributes
  • reg_key

    d4903fdacbb79e6cd1109a741a2bc821

  • splitter

    |'|'|

Targets

    • Target

      48dd5584cf3d6c0930f09e335d98d4fd

    • Size

      294KB

    • MD5

      48dd5584cf3d6c0930f09e335d98d4fd

    • SHA1

      a072e576904888726dda9ad1c61673492cd72eae

    • SHA256

      22d5552fed81b606509972d3c12830cd2cfcd77ec68a8791706099e97b2c1bad

    • SHA512

      95492bb4e2a9f51f5ff547d2b7e534787cac49d7004a146bdf3df01d7f22f478a7f89f19f1fb411487d8b58b153223e093db44fc6441696091302459d6c3b9e9

    Score
    10/10
    formbooknjratxloaderslavest9hhbootkitevasionloaderpersistenceratspywarestealertrojanupx

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks