Overview

overview

10

Static

static

3

Vadesi Gec...ra.exe

windows7-x64

10

Vadesi Gec...ra.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7bc1eeb113f774f054e5f12d199dc10a.zip

  • Size

    382KB

  • Sample

    230706-ppt1kaah75

  • MD5

    15ac67b2c00c59bc895637d62fdc8172

  • SHA1

    b14acfb6c4ae4f55598f54706ca73095a14588bd

  • SHA256

    feacddea97c71bcbacb2c144f56e46bed1412c3d6b94631f6955075b523e5b50

  • SHA512

    cc04ccc8af2a11e266078842831bef152ea13298808d5d110d86d367e05ed5f3590984700df0788791c39f844a5c820ebe29012a0c7ff8bdae19e0d0b8156966

  • SSDEEP

    6144:R7RLNCYtP0J4kAIwyrE9GTagPp3vcIXI5kIIPorzAcp8e41OFjnBxOVjudME5:R7zCwGPXp3ECsk6rzAG8eWOJnBmuR

Score
10/10
modiloaderxloaderuj3cloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Targets

    • Target

      Vadesi Gecmis Fatura.exe

    • Size

      746KB

    • MD5

      032e93902c4e6b2bf7fb6d4c9ea88d51

    • SHA1

      2f724dde1900a94622a238481a28d4130be6d7d3

    • SHA256

      361d18f86c96f9e72fa6979b09148f9e94ced13a55409265157012cf8427e60d

    • SHA512

      768259ed7db861719b32a265f56dd64a80befa1bfbc4c79008fd62644089ad250cbca1ddefc6c34f1f06c39f93695879fd98ee7db88e61e31f5135960ee52c81

    • SSDEEP

      12288:3GR+Vd0ckynvLwdJgNsycuL573BhZWPNFWrsEL09pmHtJNNW/8kGPQ:3GAVk4Mwom77WGrs9StJNSGP

    Score
    10/10
    modiloadertrojanxloaderuj3cloaderpersistenceratspywarestealer

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • ModiLoader Second Stage

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks