Overview

overview

10

Static

static

3

Ord2021131...AC.exe

windows7-x64

10

Ord2021131...AC.exe

windows10-2004-x64

10

Ord2021131...AL.exe

windows7-x64

10

Ord2021131...AL.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f8ea89c3b7200c69d23f728662031463_JaffaCakes118

  • Size

    852KB

  • Sample

    240418-2qapjaaa6y

  • MD5

    f8ea89c3b7200c69d23f728662031463

  • SHA1

    4783a6c208bcff600642b8524eb7ef978194ba05

  • SHA256

    2a5d6061c00f5845372fb38dd5840cd483f22576805af43ba2df82df9a455922

  • SHA512

    90cb59a880c281bbb359dd3807ccc996025cdb587cd341eda8c3fc845053b96cbbcbfd44ddda6c7c1b5bd5b20e37d71827f8ae5eca3ce80a1b9e1cc42f52bcb5

  • SSDEEP

    24576:FVvnCh1ebMFaxDlfot7gUe7ETntAJ6FEVRRS8:Fch1hFSDOt7gTg9FEh

Score
10/10
asyncratxloaderdefaultgab8loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

gab8

Decoy

amateurfeetworship.com

big-food.biz

metaversevolution.com

profecional-pacasmayo.com

royzoom.com

bekindevolution.com

hokozaki.com

waltersswholesale.com

wayfinderacu.com

schnurrgallery.com

babygearrentals.net

imggtoken.club

24x7x366.com

lakiernictwo.info

les-cours.com

dwticket.com

onarollshades.com

ramireztradepartners.com

safarparfums.com

6ngie.info

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:3578

194.127.178.3:6606

194.127.178.3:7707

194.127.178.3:8808

194.127.178.3:3578

aliensoldier.duckdns.org:6606

aliensoldier.duckdns.org:7707

aliensoldier.duckdns.org:8808

aliensoldier.duckdns.org:3578
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Ord20211310570045368963AC.exe

    • Size

      585KB

    • MD5

      f6fde8532e45bb49f3220e64c10d11a1

    • SHA1

      4911c4d21a733ffa4990e2f00eab31106488fb85

    • SHA256

      536cd8989d73b24ec397f603f3b509ec656febd8273c78ec576c200b5d09d063

    • SHA512

      66931a5dd699970487164a434ce19e1ccaee8355cd1fbcedda9b3331106ed8e8b58d0a24c8272cacea29c5d930548cd324aa3c794186013398c5fac0f2805976

    • SSDEEP

      12288:2aZPkBSBo79XgtOW5nuRI/+cEchvo3LKUWj9zKCUFRXgHe:ZZPPBHttd2cEcQ3LEj9Da+

    Score
    10/10
    xloadergab8loaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Ord20211310570045368964AL.exe

    • Size

      474KB

    • MD5

      0cb1c28aaae7fb100c41281e5c9b6c2b

    • SHA1

      8e417c1400cac2182f5bc92457d34753e2f9dc23

    • SHA256

      966f2e804c9e63e6bbc3d7dda36de1e2ca1fb4b93b4fe95bcfe4b682399ca4ce

    • SHA512

      e8cb29368fbc13ef6a8b4e078b8310aaffc9845e73bfaa83e414b998548d9ace3e16ffa3e36efc902a43b1c36bf06fb909e81c0b5adc248da6cb05edc8896621

    • SSDEEP

      12288:lOPUPk5+jcIK7GaUv7WaFbMPiyOn8pNISB:lcUP++jcIKqaUjWmwJpNFB

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks