Overview

overview

10

Static

static

3

efb464ece5...18.exe

windows7-x64

10

efb464ece5...18.exe

windows10-2004-x64

10

$PLUGINSDIR/rzvd.dll

windows7-x64

10

$PLUGINSDIR/rzvd.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    efb464ece5f5aa332a60d241aa93a74f_JaffaCakes118

  • Size

    660KB

  • Sample

    240414-2v6b1aga38

  • MD5

    efb464ece5f5aa332a60d241aa93a74f

  • SHA1

    1b07ef42b7d91b71600f7512e6eb7248510b2330

  • SHA256

    7384a61fc69ce24610f7c4658c2ef8786c4cdc5d6ad6b33d1a9f506d6b6388d3

  • SHA512

    86c4b630151a648ed004e543996eba2d9a54dfb14de71b1f38f2e4fe4881c4e2a8b7e2c7f6c52876d8f3eb4406b0c12c349861e024de40568306b3505bd3ef82

  • SSDEEP

    6144:h8LxB/WPFi3n+dwNOOGAmuDkM+fcA3RNNJzYTwXF0WmZfml7WcXg6tFI:vCNOUHkMgc8zN0Wmhs7kj

Score
10/10
xloaderons6loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ons6

Decoy

946acc.net

ilkermulla.com

edificationhub.com

aptbaby.com

luisrgonzalez.com

postandpine.com

objective-object.com

storeydrive.rentals

mobile-find.com

africanbridaluk.com

zzjn12.xyz

ritechoiceinvestmentgroup.com

zitzies.xyz

trulyproofreading.com

ktndetermine.xyz

advertising.land

keywordgomuwk.xyz

niecliomusicspirit.com

lhortelecom.com

cryptochieftan.com

Targets

    • Target

      efb464ece5f5aa332a60d241aa93a74f_JaffaCakes118

    • Size

      660KB

    • MD5

      efb464ece5f5aa332a60d241aa93a74f

    • SHA1

      1b07ef42b7d91b71600f7512e6eb7248510b2330

    • SHA256

      7384a61fc69ce24610f7c4658c2ef8786c4cdc5d6ad6b33d1a9f506d6b6388d3

    • SHA512

      86c4b630151a648ed004e543996eba2d9a54dfb14de71b1f38f2e4fe4881c4e2a8b7e2c7f6c52876d8f3eb4406b0c12c349861e024de40568306b3505bd3ef82

    • SSDEEP

      6144:h8LxB/WPFi3n+dwNOOGAmuDkM+fcA3RNNJzYTwXF0WmZfml7WcXg6tFI:vCNOUHkMgc8zN0Wmhs7kj

    Score
    10/10
    xloaderons6loaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/rzvd.dll

    • Size

      27KB

    • MD5

      d255169c5e130e0104b01f2ceb04c885

    • SHA1

      e9a0bf4c711f63829fb077b75b57a14b6bdda4bc

    • SHA256

      66c07a5eb743d77deff8b16a8cbcc1be0795df5197874f23fd440fbf0cae38a8

    • SHA512

      15f54c5f3de381c4b935886bd120d1e4ab609109015b6b49b842aa34b465467706ac79e0b8ad0961046e841e8e352df2a12b70653c960115e6ff92c4b282605e

    • SSDEEP

      768:GoFuDrc9RGl9YRFbDkAkXa37bcM0qOuB1JzTMv:hErUGlYr0a8M0SdY

    Score
    10/10
    xloaderons6loaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks