Overview

overview

10

Static

static

3

9973a0ac74...20.exe

windows7-x64

10

9973a0ac74...20.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fc317530c3a698867861a965caa34bad.bin

  • Size

    471KB

  • Sample

    230512-c1k6ksbd79

  • MD5

    efb46ce79b862eab377a717819c9a574

  • SHA1

    c8cc21448786dd21c5d86baebf66423d8d157c95

  • SHA256

    1a9024a1ed25edcdaf20a64baa534133fc76be9814db11df5017f41fcda1ac7a

  • SHA512

    fba762978f7b6b27753bde16631a49555851eb34f82c5e9ca9a473881844e67a777ba0f8701c83a88405b8d167d5065b2ba808692b3915cbb8a8f0bcf7a3284d

  • SSDEEP

    12288:Oxfnn7XWr2m3dp8w8jcMy4AVlO7VOqA55NM:Oxn7XPm338wiydVlOpOqY5m

Score
10/10
formbookmodiloaderxloaderuj3cloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Targets

    • Target

      9973a0ac74f8649b431499862359352cc0e8639f4f46ae5ae2371fcdaaf31320.exe

    • Size

      798KB

    • MD5

      fc317530c3a698867861a965caa34bad

    • SHA1

      2700a38ef604d78793da302664afc7d27bbb0b1c

    • SHA256

      9973a0ac74f8649b431499862359352cc0e8639f4f46ae5ae2371fcdaaf31320

    • SHA512

      f01c04b08d76f7eef6426a129dc39ea1ab60d99c52804b999b4b89c53d6d83f0ad17db311186f899f4924a5bdd38577ef8d803ae909ff700ccb68c66511d3db9

    • SSDEEP

      12288:TNLhcjoS4FC7ITh3IBPmOt50Pbkttml53kbXJ2zlLj0:T9hcsFCMTaFCKIsbZ2h

    Score
    10/10
    modiloadertrojanformbookxloaderuj3cloaderpersistenceratspywarestealer

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • ModiLoader Second Stage

    • Xloader payload

      rat

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks