Overview

overview

10

Static

static

3

103 Ref 28...23.exe

windows7-x64

1

103 Ref 28...23.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8fee6ed4037c72b3e10af797b4573343

  • Size

    376KB

  • Sample

    231219-yzehasbeen

  • MD5

    8fee6ed4037c72b3e10af797b4573343

  • SHA1

    337bdd03f4344e885a6c2d67cdbbe3dd4fbab28b

  • SHA256

    4c982cc430713582cbf620e39190fa021b69c10476016af51f2f2d345926b6c1

  • SHA512

    795cb958a2fc5e30a81ae56a3f29c472914cbb0954235bd5e36bc11a32cf2396091045957fdf373fc03dd03f9c22a23a01b3703721f0af0a4591bf83e61bd64e

  • SSDEEP

    6144:ealoR4a0Hm+OuNy8uEjXNSldpP8cTS/MNyBQkm4fQWkhl9lWq3MwOYE1gBdmJ1:ds4a07OmjXN2P8WNwQMVPR1

Score
10/10
modiloaderxloaderepnsloaderpersistencerattrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

epns

Decoy

mmfaccao.com

blttsperma.quest

946abe.net

indispensablehands.com

jkformationfrance.com

phonerepaire.com

lienquan-trian.com

youkuti.com

empowermindbodystudios.com

seunicapf.com

fk-link.xyz

kunai.tech

difficultbutdoablebrand.com

ejworkspace.com

teracorp.biz

thekids.today

quintaalentejana.com

annaviruksham.com

jshengrong.com

nsmetalmakina.xyz

Targets

    • Target

      103 Ref 2853801324189923.exe

    • Size

      703KB

    • MD5

      babec548d64d2d65430564a0c154af00

    • SHA1

      f63c1df2e34448c05670f10a734b4b6e988ed2b6

    • SHA256

      86efd34020073e8fcdb31a794973b6a63ebef864684e304edc98d435ffa75016

    • SHA512

      7857b9763788fbda67ed2f96e3ceae71ac02753f4de9ac7154d4dead10effa6a12936da18e8136cdd9d92c49a8455ab5c3615a40352358a1a85e1688a96c395c

    • SSDEEP

      12288:1sCK7j81eHghs1Lqob5GZj9wNqdVVGs+4lprmi:1bivAhs9qotQ9+qdGs1pm

    Score
    10/10
    modiloaderxloaderepnsloaderpersistencerattrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • ModiLoader Second Stage

    • Xloader payload

      rat

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks