Overview

overview

10

Static

static

MSA, a.s.,...nca.7z

windows7-x64

3

MSA, a.s.,...nca.7z

windows10-2004-x64

3

MSA, a.s.,...nca.js

windows7-x64

10

MSA, a.s.,...nca.js

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MSA, a.s., Hlucinska 641, 747 22 Dolni Benesov, Casablanca.7z

  • Size

    1KB

  • Sample

    220831-sfbpeahfe7

  • MD5

    9fc6fac1d4bee7b5430c2f7d7fce3d4c

  • SHA1

    940da96a5f1d4f21b829320993338fb76dd5b8e5

  • SHA256

    c81a5fc98250b0d1653613e27ea03196ac6872630164d5036405e4abc1e77166

  • SHA512

    695097632b9792bf3de29a3f0b1610ec6cb20d00c5d820233577a215974dc6e64f9f0d6344b4bd1aea58a25a3fa3f53f775a9201471adeb230b42bf1a2ff6ebb

Score
10/10
xloaderzgtbloaderrat

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

zgtb

Decoy

gabriellep.com

honghe4.xyz

anisaofrendas.com

happy-tile.com

thesulkies.com

international-ipo.com

tazeco.info

hhhzzz.xyz

vrmonster.xyz

theearthresidencia.com

sportape.xyz

elshadaibaterias.com

koredeiihibi.com

taxtaa.com

globalcityb.com

fxivcama.com

dagsmith.com

elmar-bhp.com

peakice.net

jhcdjewelry.com

Targets

    • Target

      MSA, a.s., Hlucinska 641, 747 22 Dolni Benesov, Casablanca.7z

    • Size

      1KB

    • MD5

      9fc6fac1d4bee7b5430c2f7d7fce3d4c

    • SHA1

      940da96a5f1d4f21b829320993338fb76dd5b8e5

    • SHA256

      c81a5fc98250b0d1653613e27ea03196ac6872630164d5036405e4abc1e77166

    • SHA512

      695097632b9792bf3de29a3f0b1610ec6cb20d00c5d820233577a215974dc6e64f9f0d6344b4bd1aea58a25a3fa3f53f775a9201471adeb230b42bf1a2ff6ebb

    Score
    3/10
    behavioral1behavioral2

    • Target

      MSA, a.s., Hlucinska 641, 747 22 Dolni Benesov, Casablanca.js

    • Size

      4KB

    • MD5

      f8a0d1103f19d54f1f7cc98395c5a6e4

    • SHA1

      0ec2b47c921a47dfd07d49c5cb4287fc716242a7

    • SHA256

      264d299a0fe5adfa13d59156d2c5c39a6646ee96bfa61cbc4a7ef1c7cdd5d44c

    • SHA512

      a662f39e395b57193e9c29c23bba261c20e1452a58f24d0312ac6a0511146f9319423b8bb9ff0ac3e73cd49f399fd9edc410c1fe601e5bcb81152ad6a2b4fb46

    • SSDEEP

      96:0J9GQhDmAddiwMrgrQR0jMRzpD2z4asg4z4aZn2ne1kK3UC/T9GQXihBJvXogXby:0DGQhxniwMrgrQR0jMRzpD2z4asg4z46

    Score
    10/10
    xloaderzgtbloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Drops startup file

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks