Overview

overview

10

Static

static

3

Yeni sifar...si.exe

windows7-x64

10

Yeni sifar...si.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Yeni sifaris siyahisi.exe

  • Size

    714KB

  • Sample

    230614-khhlqsfb8t

  • MD5

    6172cb3957b8d2e9c6826b552ce3639d

  • SHA1

    4baef093ea515002536b9de941b4a6df8d7a28a6

  • SHA256

    5839da1f2d15ad51aa8165869552f628e67bb3e30341ea9f619a1167301e8354

  • SHA512

    1b08fb6e0bde7d5b2336ec2dd12e7559f70d8ed6e5798432bd01d6efb91d4e74c144d2a6a45cf8d743b6c77a4e360475a368cf2aa180cc61c65ce89e8cc154d6

  • SSDEEP

    12288:D4iyBJSbLJfaMAhJVNRdfNl6lFqZLDZGqtV2ZE:D3ykf9AJ5vcADHW

Score
10/10
formbookmodiloaderxloaderuj3cloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Targets

    • Target

      Yeni sifaris siyahisi.exe

    • Size

      714KB

    • MD5

      6172cb3957b8d2e9c6826b552ce3639d

    • SHA1

      4baef093ea515002536b9de941b4a6df8d7a28a6

    • SHA256

      5839da1f2d15ad51aa8165869552f628e67bb3e30341ea9f619a1167301e8354

    • SHA512

      1b08fb6e0bde7d5b2336ec2dd12e7559f70d8ed6e5798432bd01d6efb91d4e74c144d2a6a45cf8d743b6c77a4e360475a368cf2aa180cc61c65ce89e8cc154d6

    • SSDEEP

      12288:D4iyBJSbLJfaMAhJVNRdfNl6lFqZLDZGqtV2ZE:D3ykf9AJ5vcADHW

    Score
    10/10
    modiloadertrojanformbookxloaderuj3cloaderpersistenceratspywarestealer

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • ModiLoader Second Stage

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks