Overview

overview

10

Static

static

INQNEW#PO2...df.exe

windows7_x64

10

INQNEW#PO2...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    INQNEW#PO24052022,qdf.iso

  • Size

    328KB

  • Sample

    220525-razcvaahe9

  • MD5

    c465d4c7469ae6b40cc77e8769fd4b27

  • SHA1

    4b180fbfa958909a9505e9b7f625c6127c18789a

  • SHA256

    62d4b809036b03226c7b5c36b6126d97cc1ecf915200146391bf05e74c58e874

  • SHA512

    aff433a1ceaf907a031b5d5bc742efb79118819a48e508935335e2ab0a807f021deaaf369196d39464af81a39fa31f7f9b5f84431a5fec29f154ad37c1d065d3

Score
10/10
xloaderbe4oloaderpersistenceratsuricata

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

be4o

Decoy

laboratoriobioixcha.com

tictocperushop.online

wild-oceans.com

belaruscountry.com

kicktmall.com

fitcoinweb.tech

mores.one

gogear.one

gxrcksy.com

samrcq.com

impossible-icecream.com

bravesxx.com

bookchainart.com

sleepsolutionsofmboro.com

ocbrazilbusinessclub.com

advisor76.xyz

xitaotech.com

mgsdtytifgf3414.xyz

johnson-brown.net

cr3drt.com

Targets

    • Target

      INQNEW#PO24052022.qdf.exe

    • Size

      276KB

    • MD5

      ebb0fecde4a2e88c63c27c82810113b5

    • SHA1

      c5658bec21ea4dfe2d0a66089d2d18bf081c778f

    • SHA256

      df1b0eef4f32a5c2527691175375962957db71bc913d37f6e71150e599b2b31c

    • SHA512

      05960c717d5f30ca5b1424a3a2806c2a7a00b6ec4a3949bdb7db4d7f5fd885119cf18cbb752537ddcb7bc277ecf683d060c40baee3ac6bdb6f76cb5a50598ad8

    Score
    10/10
    xloaderbe4oloaderpersistenceratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks