Overview

overview

10

Static

static

Inv.738283...2 .exe

windows7_x64

10

Inv.738283...2 .exe

windows10-2004_x64

10

Inv.738283...df.lnk

windows7_x64

3

Inv.738283...df.lnk

windows10-2004_x64

10

Inv.738283...df.lnk

windows7_x64

3

Inv.738283...df.lnk

windows10-2004_x64

10

Inv.738283...12.exe

windows7_x64

10

Inv.738283...12.exe

windows10-2004_x64

10

Inv.738283...df.lnk

windows7_x64

3

Inv.738283...df.lnk

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a4e6c9409796f16634d1ea40046a99021f940425a84abe6f5cc638734d9f13b8

  • Size

    588KB

  • Sample

    220221-msa1rafdd2

  • MD5

    03dfe0c922c9d2db8b0305bd4eee4bf1

  • SHA1

    e8260934eaa8a4f6c9f4fa18ce7e435606adf562

  • SHA256

    a4e6c9409796f16634d1ea40046a99021f940425a84abe6f5cc638734d9f13b8

  • SHA512

    46911be678004260b454d70efe1bff5cbe18c74748f0363349f6cd97956f8ff4aa6f4874a4ba9f55154d1a084b8f1f83a1be466908e93a5ef72c4e28ab6aa39c

Score
10/10
xloaderkio8loaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

kio8

Decoy

greeaircondition.com

thewilmingtonguide.com

cbluedotlivewdmall.com

globalcrime24.com

heightsplace.com

ghar.pro

asosbira.com

melolandia.com

velactun.com

erniesimms.com

nutbullet.com

drizzerstr.com

hnqym888.com

ghorowaseba.com

1317efoxchasedrive.info

stjudetroop623.com

facestaj.com

airpromaskaccessories.com

wolfetailors.com

56ohdc2016.com

Targets

    • Target

      Inv.73828374291273/Bank Details827363812 .exe

    • Size

      519KB

    • MD5

      ad6e22542a878923e86da30d3e25c942

    • SHA1

      fa760e243583ffed1c1e9de2e1ca93e27f170de4

    • SHA256

      82327e5e44156cddbd2dd77556fc746dad24eeaedc11733c82729c7d0c10a1e7

    • SHA512

      ca690896b789cd87bf62c9b9d65a6efadae4f8352c03cf818fe61931477d089b9f7ef057a1471eef6864e2a3877592d3981436fdedb842a514a67d8b2b2ac1e4

    Score
    10/10
    xloaderkio8loaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Inv.73828374291273/Bank Details827363812 .pdf.lnk

    • Size

      1KB

    • MD5

      649eacdfc07b3a918b7bf99dcdbee0dd

    • SHA1

      fd2fa8f0554cb8c63c2d658478702ff80ee3fb44

    • SHA256

      15f2c49b2f0483a141c8ffc320ffd1f1a4fb3b289a10119993208e797b7e1d59

    • SHA512

      2ebed14f0b616080d11f149de436f72416968d0a9d7417b1a27b10507195ea461c57919a35e8881cc5bf60f7e4beaebd93b60cc195f61f27a9d9fba48617af41

    Score
    10/10
    xloaderkio8loaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      Inv.73828374291273/inv.0419827363812.pdf.lnk

    • Size

      1KB

    • MD5

      0d0f3a9f80755b113951c078d2b42450

    • SHA1

      22cb97859d1d598a29fc6e5463cc9a7eecd5e3a8

    • SHA256

      8e6ce9999bbd7353629cec992372991ad0ada918d0ed952db4af6b7790b12c21

    • SHA512

      ad9e7cddc40692d0ff001b2fca0b23e21a4cbdf6c620d22f80b79b7eb9451491108180c717a894d684043add86659358c3d4f78f4c2115e2fae86d8e26e648b7

    Score
    10/10
    xloaderkio8loaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      Inv.73828374291273/inv.827363812.exe

    • Size

      519KB

    • MD5

      ad6e22542a878923e86da30d3e25c942

    • SHA1

      fa760e243583ffed1c1e9de2e1ca93e27f170de4

    • SHA256

      82327e5e44156cddbd2dd77556fc746dad24eeaedc11733c82729c7d0c10a1e7

    • SHA512

      ca690896b789cd87bf62c9b9d65a6efadae4f8352c03cf818fe61931477d089b9f7ef057a1471eef6864e2a3877592d3981436fdedb842a514a67d8b2b2ac1e4

    Score
    10/10
    xloaderkio8loaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      Inv.73828374291273/inv.827363812.pdf.lnk

    • Size

      1KB

    • MD5

      0d0f3a9f80755b113951c078d2b42450

    • SHA1

      22cb97859d1d598a29fc6e5463cc9a7eecd5e3a8

    • SHA256

      8e6ce9999bbd7353629cec992372991ad0ada918d0ed952db4af6b7790b12c21

    • SHA512

      ad9e7cddc40692d0ff001b2fca0b23e21a4cbdf6c620d22f80b79b7eb9451491108180c717a894d684043add86659358c3d4f78f4c2115e2fae86d8e26e648b7

    Score
    10/10
    xloaderkio8loaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral9behavioral10

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

7
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks