Overview

overview

10

Static

static

BUOSdmqXoY_bin.js

windows7_x64

10

BUOSdmqXoY_bin.js

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    BUOSdmqXoY_bin.js

  • Size

    478KB

  • Sample

    220629-tkvthsahek

  • MD5

    c9328234265a979cf27338a10177294e

  • SHA1

    f0670d7702b94a89c221a0a644d53be6e2a6c787

  • SHA256

    d7e2a4d27dc5acf5fd79691978b79889a88b260b1c5f0a5b9d0578aa62fa2195

  • SHA512

    1abaac12f3a0c1cec20073a3cb5ad0b391b353708614c45ca3fb8d5b8a7016619dfdbbbb54d037a4412658415cba1bbe790b22a65b1a1ee53ce454751b63ab7f

Score
10/10
asyncratformbookxloaderdefaultmdzqloaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

mdzq

Decoy

leop.red

actoconcept.fr

doesmee.com

goplygolf.com

cqshki.net

leflegme.com

wgamersport.xyz

4513367.com

shpoweronline.com

ingeniousconsultingservices.com

dentaldenalia.com

saaraba.net

artnow.media

sbwyt.com

nortonrosefulbrigiht.com

autorad.xyz

clergyfundingandinsurance.com

boarko.com

xn--zoom-kh4j.com

739lakemuirdr.com

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

franmhort.duia.ro:8153

Mutex

Mutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    win.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      BUOSdmqXoY_bin.js

    • Size

      478KB

    • MD5

      c9328234265a979cf27338a10177294e

    • SHA1

      f0670d7702b94a89c221a0a644d53be6e2a6c787

    • SHA256

      d7e2a4d27dc5acf5fd79691978b79889a88b260b1c5f0a5b9d0578aa62fa2195

    • SHA512

      1abaac12f3a0c1cec20073a3cb5ad0b391b353708614c45ca3fb8d5b8a7016619dfdbbbb54d037a4412658415cba1bbe790b22a65b1a1ee53ce454751b63ab7f

    Score
    10/10
    asyncratformbookxloaderdefaultmdzqloaderpersistenceratspywarestealersuricatatrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

      suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

      suricata

    • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

      suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

      suricata

    • Async RAT payload

      rat

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

2
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks