Overview

overview

10

Static

static

10

01.exe

windows10-2004-x64

10

02.exe

windows10-2004-x64

10

03.exe

windows10-2004-x64

10

04.exe

windows10-2004-x64

10

05.exe

windows10-2004-x64

10

06.exe

windows10-2004-x64

10

07.exe

windows10-2004-x64

10

08.exe

windows10-2004-x64

10

09.exe

windows10-2004-x64

10

10.exe

windows10-2004-x64

10

11.exe

windows10-2004-x64

10

12.exe

windows10-2004-x64

10

13.exe

windows10-2004-x64

10

14.exe

windows10-2004-x64

10

15.exe

windows10-2004-x64

10

16.exe

windows10-2004-x64

10

17.exe

windows10-2004-x64

10

18.exe

windows10-2004-x64

10

19.exe

windows10-2004-x64

10

20.exe

windows10-2004-x64

10

21.exe

windows10-2004-x64

10

22.exe

windows10-2004-x64

10

23.exe

windows10-2004-x64

10

24.exe

windows10-2004-x64

10

25.exe

windows10-2004-x64

10

26.exe

windows10-2004-x64

10

27.exe

windows10-2004-x64

10

28.exe

windows10-2004-x64

10

29.exe

windows10-2004-x64

10

30.exe

windows10-2004-x64

10

31.exe

windows10-2004-x64

10

32.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    11.zip

  • Size

    5.8MB

  • Sample

    220902-dze4lsfdhn

  • MD5

    4e159fcc2572ce37f537504e5e528005

  • SHA1

    7eadd69b2cdf4598363ba6c13f1b6058099b1cac

  • SHA256

    cd658724ee9fe350e77a43562a3d1f9d1676fe6dcb15ea13490f4ce05bf85111

  • SHA512

    4b754d34437eec4595ecbd9b48fd90eec745ec254b938efd1da7b5625dd44da1ed6ca79e3765e9d4e7f433c1b1316b5fa5a648976f6af9a144f27cf0c6c9db11

  • SSDEEP

    98304:Ju4pC5rjffNPavHUNY9N82OzQ5xATrOvXZx82Oz7RhAEYXsnAUz82QtSJ:84pC5rDfNPavHUNY9v5xATaZMspXsnA2

Score
10/10
formbookxloader6hsct3b6loaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

3.0

Campaign

6hsc

Decoy

6cvqXARAGlgdnnbXYQ==

Mi4yZ8FULou6w26U2FDnEbA=

Xmx0bJmRZGL+O0RFfLFNN9AMdwn+

B0WNhyl4T2gWBIqE1VDnEbA=

DI2G9/sG/v6YIh42aQ==

0NTaAl90ZWYiGV/bT4U=

DWCuXrL23Cc3xdIG/0dT

fTbzys/dddqOVQ==

8ClrDFi3i+asgxBOnguhlQ==

YjOkWLSpXeqrXw==

gAIov8vbtv8vr8/tFSXvDULL7thokKA=

xMW2qsXay7xNkonR/zxPo939

xc38fRlgO2opnnbXYQ==

+o31vQlURJKmLUWfHlMq0Gjs

z6GwWxCSKJLJ

2pnQ5evpehAxUt4hd6pq9X71

2CmXDSU2DTmDR+Q=

WV9ScxFQID1V2glQnguhlQ==

L8UDlK65h9wJ7Zeb3VDnEbA=

Agb4LF2bRcDX

Extracted

Family

xloader

Version

2.9

Campaign

t3b6

Decoy

QyGobaWrJoYaEAcy

D8XDiPAjrMeNCO8i2Zh7el/h

+H+f+AzMc2MnFYM=

B87TMBpLmMO5Mg==

UzqNdtQVLtSWUT2246UMUzpwSfCM7/4=

PSBsR4Zc/owSAf0r

PSJ3R95yfCQqrzJlVFM1CQ==

fec0BZWI+yWcJ+04/aVWAQ==

91SJ3EvNz2km59kH1l18gCUPACmZ

xchPJrY/JpgSAf0r

e2OKSdjCX8M6r50e118MLeOAQ7N55w==

h/uLbAwS4Ig+/tXPchlyeSAPACmZ

Bl+vjTxPkC3tPA==

zytv4/3QZpvEU5Q=

fVHWncb266i2gKGdxw==

9jNYqsWVI5kSAf0r

e/MldsZgjorId+qeTxpdv8k=

vX+9ii0byNRiIg02

dOoxn8ooSi05NS9iVFM1CQ==

ZV+j+w3Fa2MnFYM=

Targets

    • Target

      01.exe

    • Size

      176KB

    • MD5

      03c8d6acb73f7c36433b76769f27d5af

    • SHA1

      ad6fc734e8a1055020e497ca124d6daee675aed7

    • SHA256

      c086dd58868f8221fe17857e11ffc8ebf1c4a1674ada24a3bc97448af54f9454

    • SHA512

      1e59131f2d73dcd61243a613180f7efbbaf94d0991a62dffef19605577b3c61cd0b417d4341565ef31abb96582af8da64ef9e9b904bbf6ea2d3d318926a0cc37

    • SSDEEP

      3072:9uM8UX7+jHxfGPS4WuGbrvhcuXphx8P0gPdemsabrxZJjQfMH1Vlbi:9UUL+j9OSzbr5cuzCPFPRnX1jwC1Vlbi

    Score
    10/10
    formbookxloaderloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      02.exe

    • Size

      177KB

    • MD5

      550076952d4e9961ecf381824c38e022

    • SHA1

      ce65a915752d64e601e158690b198aee5a22a31e

    • SHA256

      15d56d28ea0f515ada674dfbbf4391390e9c1248c7a8c895d932b4220e6c2a81

    • SHA512

      70e42430b94148be0d03d83b82b77177c1288c893b241541bc51a8a87f4f72f9b1e1e14c2508cb44c30a33a17318077454d439143261e3949ead2df2505632d5

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    formbookxloaderloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      03.exe

    • Size

      177KB

    • MD5

      550076952d4e9961ecf381824c38e022

    • SHA1

      ce65a915752d64e601e158690b198aee5a22a31e

    • SHA256

      15d56d28ea0f515ada674dfbbf4391390e9c1248c7a8c895d932b4220e6c2a81

    • SHA512

      70e42430b94148be0d03d83b82b77177c1288c893b241541bc51a8a87f4f72f9b1e1e14c2508cb44c30a33a17318077454d439143261e3949ead2df2505632d5

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      04.exe

    • Size

      176KB

    • MD5

      228b0bc29a751779e97f60e14a1b9f57

    • SHA1

      0c735257db6d9afc8ee6a656a8634310411a049f

    • SHA256

      5480ecfb5e60326a88fe45eb2adf3d9bc67e26fc2fc7800609a467e6a5f77444

    • SHA512

      9a22551428299be14f05dfe3f0f1d710a1a15b794da3e0671abadd934fc576ba022458579d73cfe777c3599fd3c8859c118fa1b632cc7ce2c67108ad42af95f1

    • SSDEEP

      3072:yTjyF3P55Z+0IhW59LQUlOsdZNjIZfR5/VUmhFaIItneeVw65z:33h5JI8LQKj3NjIZfR5/uCFaIItlVw6

    Score
    10/10
    xloaderloaderpersistencerat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      05.exe

    • Size

      180KB

    • MD5

      4655391b02be2427e3f1985ec687678b

    • SHA1

      6c05c1d258e3dfddd7b10053ab7d5574720678f7

    • SHA256

      8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0

    • SHA512

      2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      06.exe

    • Size

      180KB

    • MD5

      4655391b02be2427e3f1985ec687678b

    • SHA1

      6c05c1d258e3dfddd7b10053ab7d5574720678f7

    • SHA256

      8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0

    • SHA512

      2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      07.exe

    • Size

      176KB

    • MD5

      26cee6b758a5ad94894c6d462af2eb4f

    • SHA1

      a8b16960c38f95f5da2b99dca83b242afe1a533b

    • SHA256

      5347ec39f392cededb3964cd67a558ad316d80d00805aacbed946e83fbaccac7

    • SHA512

      47f813a034ed2473b6d51828a623cd0cee9a5fca09c6c187cae1ce254b71de54748cd1f771d490a2bcd8c5befe78eb9b564031bfbd54362844cdeff6da2781bd

    • SSDEEP

      3072:yTjyF3P55Z+0IhW59LQUlOsdZNjIZfR5/VUbhFaIItneeVw65z:33h5JI8LQKj3NjIZfR5/ulFaIItlVw6

    Score
    10/10
    formbookxloaderloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      08.exe

    • Size

      176KB

    • MD5

      e1c8a8f6226be3df511c0e9a37151abd

    • SHA1

      8f3eb859ac716079a4ac173894f79ab4e352b907

    • SHA256

      2f18211ebd43ac95943e69946808944d98bc76299f63a37eab7ad048d9aeac28

    • SHA512

      963aee2db27eab811b3e2197905c9d4248f04bf74c6c3f0127abd890bff0ecc8497c699d073f2c6246ed13ed8458c004eb0fd0538b52b289328197abf80ade3e

    • SSDEEP

      3072:hLifM4usJiw5elZRXWaJdn1HQwqmfQpqvq/WYiIgKQ8Tnl:hguQ5kRXd1wwJopqvZ89L

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      09.exe

    • Size

      180KB

    • MD5

      4655391b02be2427e3f1985ec687678b

    • SHA1

      6c05c1d258e3dfddd7b10053ab7d5574720678f7

    • SHA256

      8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0

    • SHA512

      2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      10.exe

    • Size

      180KB

    • MD5

      12d0de0d9ba0e753b17a5572a3a23822

    • SHA1

      19ea0cdd98fbe21fd9b7a6c1a1a681d882c9e973

    • SHA256

      b38ccebbce70c75c88be4529e17377d914fcc21b63f9afec651299e68b3346a4

    • SHA512

      9f3c978c6793af877209b225bed86745160923f1db142015a0eb542207de43353998e50311914e7e46a29698dd779a2ed855e2d8fa34501bc570fc44144dd856

    • SSDEEP

      3072:2TFKD7rLrumkW7yyuMaEaGLoXgeg0KaMQC+t8j9o8mcW7sFBV:gKPrOmYyud/GLoXgj0KajC+Yo8mcCO3

    Score
    10/10
    formbookxloaderloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      11.exe

    • Size

      176KB

    • MD5

      e1c8a8f6226be3df511c0e9a37151abd

    • SHA1

      8f3eb859ac716079a4ac173894f79ab4e352b907

    • SHA256

      2f18211ebd43ac95943e69946808944d98bc76299f63a37eab7ad048d9aeac28

    • SHA512

      963aee2db27eab811b3e2197905c9d4248f04bf74c6c3f0127abd890bff0ecc8497c699d073f2c6246ed13ed8458c004eb0fd0538b52b289328197abf80ade3e

    • SSDEEP

      3072:hLifM4usJiw5elZRXWaJdn1HQwqmfQpqvq/WYiIgKQ8Tnl:hguQ5kRXd1wwJopqvZ89L

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      12.exe

    • Size

      176KB

    • MD5

      9cc5e1801eea23862096437651280e34

    • SHA1

      e8af23f0373ec1dca044ad013966feac249f5ad5

    • SHA256

      a7bf236542040507003539e5456542344b406c7d550b6153c28bed68d7a19475

    • SHA512

      16ae1b9420467eb23767c09b3d093aec8641164806804cd8febe00d85e1db1decd393649c52e2c91483e8abfa44cb1cb59083442fa95f0f818ca8d07406e1db5

    • SSDEEP

      3072:+7sC4SyjXw+yq9nvAOTWPe9QY0JrEqTPXJq7on54LkXthmNiKFs:TSyjX1yavAOn9Q9JoqTPZqgrXMF

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      13.exe

    • Size

      180KB

    • MD5

      4655391b02be2427e3f1985ec687678b

    • SHA1

      6c05c1d258e3dfddd7b10053ab7d5574720678f7

    • SHA256

      8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0

    • SHA512

      2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    formbookxloaderloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral13

    • Target

      14.exe

    • Size

      180KB

    • MD5

      4655391b02be2427e3f1985ec687678b

    • SHA1

      6c05c1d258e3dfddd7b10053ab7d5574720678f7

    • SHA256

      8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0

    • SHA512

      2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    xloaderloaderpersistenceratspywarestealer

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral14

    • Target

      15.exe

    • Size

      180KB

    • MD5

      4655391b02be2427e3f1985ec687678b

    • SHA1

      6c05c1d258e3dfddd7b10053ab7d5574720678f7

    • SHA256

      8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0

    • SHA512

      2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    formbookxloaderloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      16.exe

    • Size

      180KB

    • MD5

      4655391b02be2427e3f1985ec687678b

    • SHA1

      6c05c1d258e3dfddd7b10053ab7d5574720678f7

    • SHA256

      8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0

    • SHA512

      2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    formbookxloaderloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral16

    • Target

      17.exe

    • Size

      176KB

    • MD5

      149f834cb3ebc4fbaf9413e7181d4348

    • SHA1

      c6a37830e0bb5a05fd00c10eba5aced321df66fb

    • SHA256

      0911651dfcd89af8b230db0f9bb1323fa0d47c6c996b6dc7676678ea79cf6882

    • SHA512

      8f422ce370ff484e7fbdc769e3a0f4197209d02fe3a15160c77a3e2e3a88f0811570d257ea6c31172c6e8b1f0b8ee0f4c77ef3e08953ac66ae290cac1d267c70

    • SSDEEP

      3072:tBmbdFaYd4XumdS3DS4WzA7ru28Z4OiNLcI9gmMlrr3mxKDiGb2aH:SzPdTuODS+7rf8uOiNwI9gmoPHb2a

    Score
    10/10
    xloaderloaderpersistencerat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral17

    • Target

      18.exe

    • Size

      180KB

    • MD5

      4655391b02be2427e3f1985ec687678b

    • SHA1

      6c05c1d258e3dfddd7b10053ab7d5574720678f7

    • SHA256

      8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0

    • SHA512

      2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      19.exe

    • Size

      180KB

    • MD5

      4655391b02be2427e3f1985ec687678b

    • SHA1

      6c05c1d258e3dfddd7b10053ab7d5574720678f7

    • SHA256

      8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0

    • SHA512

      2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    xloaderloaderpersistenceratspywarestealer

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      20.exe

    • Size

      180KB

    • MD5

      12d0de0d9ba0e753b17a5572a3a23822

    • SHA1

      19ea0cdd98fbe21fd9b7a6c1a1a681d882c9e973

    • SHA256

      b38ccebbce70c75c88be4529e17377d914fcc21b63f9afec651299e68b3346a4

    • SHA512

      9f3c978c6793af877209b225bed86745160923f1db142015a0eb542207de43353998e50311914e7e46a29698dd779a2ed855e2d8fa34501bc570fc44144dd856

    • SSDEEP

      3072:2TFKD7rLrumkW7yyuMaEaGLoXgeg0KaMQC+t8j9o8mcW7sFBV:gKPrOmYyud/GLoXgj0KajC+Yo8mcCO3

    Score
    10/10
    formbookxloaderloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral20

    • Target

      21.exe

    • Size

      180KB

    • MD5

      4655391b02be2427e3f1985ec687678b

    • SHA1

      6c05c1d258e3dfddd7b10053ab7d5574720678f7

    • SHA256

      8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0

    • SHA512

      2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral21

    • Target

      22.exe

    • Size

      180KB

    • MD5

      4655391b02be2427e3f1985ec687678b

    • SHA1

      6c05c1d258e3dfddd7b10053ab7d5574720678f7

    • SHA256

      8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0

    • SHA512

      2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    xloader6hscloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral22

    • Target

      23.exe

    • Size

      176KB

    • MD5

      675b7c7ed756d2c9bd3319802029a228

    • SHA1

      31b44c6668f81a997cfe99c240a8d9ecd35cbef4

    • SHA256

      a16f939e9b65316cddd172484406394ebda2fed078d611d774b942daa6c239dc

    • SHA512

      776753c4aba10b83f995580940e1100c88999514e25edf2c172073c2f130d98b92e36d0364b91dc16b97e26263c191f7e025778849b1c8255078234cfbe2e861

    • SSDEEP

      3072:bQ9NMqbEzJhsadCKYQIhWEGr+pTJB1qdKXhDD4q0yW6xPJNnwN5GSBCV0BVEm:bcMKQ+aUYIkr+lJ7qIXhDD4q0yHBNnwa

    Score
    10/10
    xloaderloaderpersistenceratspywarestealer

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral23

    • Target

      24.exe

    • Size

      176KB

    • MD5

      a2b59a275d7eb532b4976872fad38cc6

    • SHA1

      0006de71b9270b92c74efa8e58586cf2f7ad1e64

    • SHA256

      067d5253b293459e5454da99c42f3200f8bf7e2cb4ec0e876aac089ac46fe54b

    • SHA512

      5e84c3e7e79019ccb72331e3601b1b4e277ecb0d4728998268ea23e6e41328690596b58c13f53a590379f891b726a5f5c66334aadf74027d8babcdcbd2471777

    • SSDEEP

      3072:QdlpkYBi4+lgqcEehWo2z3sCs6dAkkg5opnFi8T2qM1jrkOfmG4X:Sp3+QEeIz3x3dAkkgoFJT21hmr

    Score
    10/10
    formbookxloaderloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral24

    • Target

      25.exe

    • Size

      180KB

    • MD5

      4655391b02be2427e3f1985ec687678b

    • SHA1

      6c05c1d258e3dfddd7b10053ab7d5574720678f7

    • SHA256

      8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0

    • SHA512

      2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral25

    • Target

      26.exe

    • Size

      180KB

    • MD5

      4655391b02be2427e3f1985ec687678b

    • SHA1

      6c05c1d258e3dfddd7b10053ab7d5574720678f7

    • SHA256

      8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0

    • SHA512

      2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    formbookxloaderloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral26

    • Target

      27.exe

    • Size

      180KB

    • MD5

      12d0de0d9ba0e753b17a5572a3a23822

    • SHA1

      19ea0cdd98fbe21fd9b7a6c1a1a681d882c9e973

    • SHA256

      b38ccebbce70c75c88be4529e17377d914fcc21b63f9afec651299e68b3346a4

    • SHA512

      9f3c978c6793af877209b225bed86745160923f1db142015a0eb542207de43353998e50311914e7e46a29698dd779a2ed855e2d8fa34501bc570fc44144dd856

    • SSDEEP

      3072:2TFKD7rLrumkW7yyuMaEaGLoXgeg0KaMQC+t8j9o8mcW7sFBV:gKPrOmYyud/GLoXgj0KajC+Yo8mcCO3

    Score
    10/10
    formbookxloaderloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral27

    • Target

      28.exe

    • Size

      180KB

    • MD5

      4655391b02be2427e3f1985ec687678b

    • SHA1

      6c05c1d258e3dfddd7b10053ab7d5574720678f7

    • SHA256

      8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0

    • SHA512

      2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral28

    • Target

      29.exe

    • Size

      180KB

    • MD5

      4655391b02be2427e3f1985ec687678b

    • SHA1

      6c05c1d258e3dfddd7b10053ab7d5574720678f7

    • SHA256

      8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0

    • SHA512

      2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    formbookxloaderloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral29

    • Target

      30.exe

    • Size

      176KB

    • MD5

      ee3f6b719af708fa9b353f3b9bba512b

    • SHA1

      42992501d9a2b930f6c8930755d4f9b34921fa6e

    • SHA256

      f2c37cdcf66db8a092051dccd5262e994dfe99195cff574c8d8d19bcfd2ad70a

    • SHA512

      b6168858f79882c0e59080b249131766d06a2a9e116091a7bf464545f568ed18ca90afb06a610d2b6e5be7e45c26d5ecf2d5ca54ca034d92217a8f93505299ce

    • SSDEEP

      3072:EDhyoVPOLvfkeP7XeWpmpsnOYOLirAGBP7zHeieKy049NPBTciQ85QA:LoETseP7XWsndBnBP7zHeibyl9NPud25

    Score
    10/10
    formbookxloadert3b6loaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral30

    • Target

      31.exe

    • Size

      180KB

    • MD5

      4655391b02be2427e3f1985ec687678b

    • SHA1

      6c05c1d258e3dfddd7b10053ab7d5574720678f7

    • SHA256

      8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0

    • SHA512

      2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    xloaderloaderpersistenceratspywarestealer

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral31

    • Target

      32.exe

    • Size

      180KB

    • MD5

      4655391b02be2427e3f1985ec687678b

    • SHA1

      6c05c1d258e3dfddd7b10053ab7d5574720678f7

    • SHA256

      8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0

    • SHA512

      2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    xloaderloaderpersistenceratspywarestealer

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

4
T1059

Persistence

Registry Run Keys / Startup Folder

20
T1060

Privilege Escalation

Defense Evasion

Modify Registry

46
T1112

Credential Access

Credentials in Files

18
T1081

Discovery

Query Registry

33
T1012

System Information Discovery

37
T1082

Lateral Movement

Collection

Data from Local System

18
T1005

Exfiltration

Command and Control

Impact

Tasks

static1

ratxloader
Score
10/10

behavioral1

formbookxloaderloaderpersistenceratspywarestealertrojan
Score
10/10

behavioral2

formbookxloaderloaderpersistenceratspywarestealertrojan
Score
10/10

behavioral3

xloaderloaderrat
Score
10/10

behavioral4

xloaderloaderpersistencerat
Score
10/10

behavioral5

xloaderloaderrat
Score
10/10

behavioral6

xloaderloaderrat
Score
10/10

behavioral7

formbookxloaderloaderpersistenceratspywarestealertrojan
Score
10/10

behavioral8

xloaderloaderrat
Score
10/10

behavioral9

xloaderloaderrat
Score
10/10

behavioral10

formbookxloaderloaderpersistenceratspywarestealertrojan
Score
10/10

behavioral11

xloaderloaderrat
Score
10/10

behavioral12

xloaderloaderrat
Score
10/10

behavioral13

formbookxloaderloaderpersistenceratspywarestealertrojan
Score
10/10

behavioral14

xloaderloaderpersistenceratspywarestealer
Score
10/10

behavioral15

formbookxloaderloaderpersistenceratspywarestealertrojan
Score
10/10

behavioral16

formbookxloaderloaderpersistenceratspywarestealertrojan
Score
10/10

behavioral17

xloaderloaderpersistencerat
Score
10/10

behavioral18

xloaderloaderrat
Score
10/10

behavioral19

xloaderloaderpersistenceratspywarestealer
Score
10/10

behavioral20

formbookxloaderloaderpersistenceratspywarestealertrojan
Score
10/10

behavioral21

xloaderloaderrat
Score
10/10

behavioral22

xloader6hscloaderrat
Score
10/10

behavioral23

xloaderloaderpersistenceratspywarestealer
Score
10/10

behavioral24

formbookxloaderloaderpersistenceratspywarestealertrojan
Score
10/10

behavioral25

xloaderloaderrat
Score
10/10

behavioral26

formbookxloaderloaderpersistenceratspywarestealertrojan
Score
10/10

behavioral27

formbookxloaderloaderpersistenceratspywarestealertrojan
Score
10/10

behavioral28

xloaderloaderrat
Score
10/10

behavioral29

formbookxloaderloaderpersistenceratspywarestealertrojan
Score
10/10

behavioral30

formbookxloadert3b6loaderpersistenceratspywarestealertrojan
Score
10/10

behavioral31

xloaderloaderpersistenceratspywarestealer
Score
10/10

behavioral32

xloaderloaderpersistenceratspywarestealer
Score
10/10