Overview

overview

10

Static

static

3

ef69c1b31a...18.exe

windows7-x64

10

ef69c1b31a...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ef69c1b31ab08db5eec628aedd31ffd2_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240414-yzs1pafd3y

  • MD5

    ef69c1b31ab08db5eec628aedd31ffd2

  • SHA1

    13edc892f792e1460d26dc4fc329d9f6978788ca

  • SHA256

    259e3b91615c56477ea088113187b3d4699ccc3b32b0ae31c5ea49e895d67366

  • SHA512

    2294455861b7850221d1ddf157af40beaf7af6b4a147bdb3beb63498e011441f48ef8aea1fa17baac7141bd292014396a2dffa8fee02db0d636cdd0581d3b8fd

  • SSDEEP

    12288:aPz7sw+52RLlBKxZsOxR0djz0T+LRlEWbKgP7R5kjx3WH4eWNB9D:CYwEYlBKxvxOdjzQm7

Score
10/10
xloadera0celoaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

a0ce

Decoy

chennaiprintshop.com

criminallawbd.com

www140800.com

southernleaflounge.com

moderngypsydesignlabs.com

bioarmourtech.com

simplyalina.com

picnicdepot.com

peshawarsc.com

innovativecustomcabinetry.com

fzju-ovrzw.xyz

63mews.com

giovannitarga.com

modernofficeaccessories.com

a2zpetcare.net

online-nb.com

brateix.info

bosc.pro

xcarethospitality.com

sedulabs.com

Targets

    • Target

      ef69c1b31ab08db5eec628aedd31ffd2_JaffaCakes118

    • Size

      1.1MB

    • MD5

      ef69c1b31ab08db5eec628aedd31ffd2

    • SHA1

      13edc892f792e1460d26dc4fc329d9f6978788ca

    • SHA256

      259e3b91615c56477ea088113187b3d4699ccc3b32b0ae31c5ea49e895d67366

    • SHA512

      2294455861b7850221d1ddf157af40beaf7af6b4a147bdb3beb63498e011441f48ef8aea1fa17baac7141bd292014396a2dffa8fee02db0d636cdd0581d3b8fd

    • SSDEEP

      12288:aPz7sw+52RLlBKxZsOxR0djz0T+LRlEWbKgP7R5kjx3WH4eWNB9D:CYwEYlBKxvxOdjzQm7

    Score
    10/10
    xloadera0celoaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks