Overview

overview

10

Static

static

3

00928372632.exe

windows7-x64

10

00928372632.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    00928372632_1.zip

  • Size

    540KB

  • Sample

    230626-mggn6aac3w

  • MD5

    7754e21742848afc8cfe671e511412cc

  • SHA1

    dfb05701b1bbe3ede392f521758186411548d428

  • SHA256

    80145a72c360f466958abf5bacd752fa254c9067778c274af8f0a6a04337f74a

  • SHA512

    468343f2ba512ccca84f3baf9e15e69c0f641d85f790a1e2a93634a14734316f1b50690d91605f13b6ddb175ec02a1ff397257785b1463a1b2710a4f655619f2

  • SSDEEP

    12288:P+WWlPiFwVV3qQj1Q4zVPmyrAzXehr4gBGiB4z9iSYDZ:3WliFGV6Qj1QScyrbvGiB4z8dN

Score
10/10
modiloaderxloaderuj3cloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Targets

    • Target

      00928372632.exe

    • Size

      984KB

    • MD5

      46b253f9b58924c980d5f0780f013b26

    • SHA1

      0065c2ace404b9908dce1eefd162ced9b602eea1

    • SHA256

      904c33cddf1d9930deaafe80395988a6b61f4acd79e8e29058a6dc00a3de851b

    • SHA512

      0622b7ed5a8b5622e1b944e78938de28e2b54836adb3fb7c655e4573ee03511f177fdad741eb521fad26ba9ff91d5ac918297db626be7caec0262dd6732294c1

    • SSDEEP

      12288:zWI+n1cF0p4WhPQbXfu/i7Nx29T1CWaXqIov5n0fc8MMvdgV25wqYyEyHcsbOona:z28tWhPKXf9PvXqgfvcQrEyHFbOwN

    Score
    10/10
    modiloadertrojanxloaderuj3cloaderpersistenceratspywarestealer

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • ModiLoader Second Stage

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks