Overview

overview

10

Static

static

3

ef3ee1a764...18.exe

windows7-x64

10

ef3ee1a764...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ef3ee1a764a33632b5cf8d0b10853d8d_JaffaCakes118

  • Size

    1.6MB

  • Sample

    240412-ga8leaah8t

  • MD5

    ef3ee1a764a33632b5cf8d0b10853d8d

  • SHA1

    815dde75d76b1f61ac69cff8edfebed265aa801f

  • SHA256

    e91d88bbb3693136fce60e4208200af50f9855a1d4b4e96d164ba7ef8b1e0bda

  • SHA512

    abdda3497ceaba4b2b8513fa5344fc4aa631858c26f9b32fc7f10d0d2971b935859acd27d54845cc4c11a8fc7a920d9d52ac21194ef05e125fdd09cedc8246f0

  • SSDEEP

    24576:nqLS/d3UYdkb7Mb+8w/qx/YNTSlzPdVsC9+8EUUWbmwRGPoN7vdiTbnFM:NM7Mb+8P/xtUeLEcm/PoiM

Score
10/10
xloaderr58uloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

r58u

Decoy

schmidt-montecarmelo.com

bainrix.com

healtracer.com

thriveclothingclub.com

thedreamforce.computer

cbidhh.icu

btcmart.info

nnghxks75.com

524joshua.com

novarealty.homes

a2amc.com

ebtbedge.com

youmaitiantian.com

bjhszz.com

dwchongzhi.com

getfastpage.com

customerservice-netflix.com

pontiac.today

tved-rnzfr.xyz

flourishingfamilies.today

Targets

    • Target

      ef3ee1a764a33632b5cf8d0b10853d8d_JaffaCakes118

    • Size

      1.6MB

    • MD5

      ef3ee1a764a33632b5cf8d0b10853d8d

    • SHA1

      815dde75d76b1f61ac69cff8edfebed265aa801f

    • SHA256

      e91d88bbb3693136fce60e4208200af50f9855a1d4b4e96d164ba7ef8b1e0bda

    • SHA512

      abdda3497ceaba4b2b8513fa5344fc4aa631858c26f9b32fc7f10d0d2971b935859acd27d54845cc4c11a8fc7a920d9d52ac21194ef05e125fdd09cedc8246f0

    • SSDEEP

      24576:nqLS/d3UYdkb7Mb+8w/qx/YNTSlzPdVsC9+8EUUWbmwRGPoN7vdiTbnFM:NM7Mb+8P/xtUeLEcm/PoiM

    Score
    10/10
    xloaderr58uloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Xloader payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks