Overview

overview

10

Static

static

shipping docs.exe

windows7_x64

10

shipping docs.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    shipping docs.exe

  • Size

    722KB

  • Sample

    220628-ssksvacah6

  • MD5

    ec529b525e7897c81b9fd1e2291cf885

  • SHA1

    867d80609c6fe0cafe8326c5572c243e24da1f42

  • SHA256

    1752302de3862bd15be2d539255fed5e71a4180cd987b206542ef8d5f5c6af13

  • SHA512

    6080162b81e69209f6866c7e3e5abfb52a719c0ef55f523e637af26646daf91c01f6e150790e8a12f87db5a76a39aed7fa92510c2149c7f4ca6e88e0bd11003c

Score
10/10
xloadergfv7loaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

gfv7

Decoy

hd4AZDZ3XeSkZ9w0NRn2+JU=

6iAxmGKdumxFEgwp

jM6QcxNUSeCKaUdvvh3g9mffhosQ

d4CC0LS0DjTJS8FdXqd3soM=

S1LPlXEIJY52Og==

doeO7AimsF0NEvFgnIV5

W2TlzH/byHtUU3B7tw==

Y2RAbyZjex2qj6GQv4Q=

ftoOsCpZdfmALQ==

4kqL8v/6rDj8Ohs/wAjkb0gD5Gfiww==

8mVs/AkvwLnIWp4=

yfqAazgHioT8b9yHSKpLDtgY

EyWD5F+Wu3L0xq/VJXgdlnFvBDdUz5WM

jn9ty+pdRNdtcDhJ5k8nwZofm4EJ

s9XVNv4/aRDBUx4w

+vHFE7Fw1rnIWp4=

wC395Yvi6G/3yoWRGW1USxzshi3Dyw==

jcbufIN91gHAUK1RYUMYIdyqpDlUz5WM

iIyoIvZNXwPNmBlBxGk6+A==

C/hTD8h/KWLiMW4Mt/joXyz23Q==

Targets

    • Target

      shipping docs.exe

    • Size

      722KB

    • MD5

      ec529b525e7897c81b9fd1e2291cf885

    • SHA1

      867d80609c6fe0cafe8326c5572c243e24da1f42

    • SHA256

      1752302de3862bd15be2d539255fed5e71a4180cd987b206542ef8d5f5c6af13

    • SHA512

      6080162b81e69209f6866c7e3e5abfb52a719c0ef55f523e637af26646daf91c01f6e150790e8a12f87db5a76a39aed7fa92510c2149c7f4ca6e88e0bd11003c

    Score
    10/10
    xloadergfv7loaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks