Overview

overview

10

Static

static

3

74037ff6cd...6c.exe

windows7-x64

10

74037ff6cd...6c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dc76eda7c92266e884d6c392f3fd087b75c659ffc1127b38cdee502491f70efb

  • Size

    987KB

  • Sample

    241121-yrq65azrdj

  • MD5

    3adf7801d51027d89eed8fd6f922b722

  • SHA1

    032ab2acee83278fde0bf1cd5b1886441747f0ef

  • SHA256

    dc76eda7c92266e884d6c392f3fd087b75c659ffc1127b38cdee502491f70efb

  • SHA512

    210cf1bc50e9f57adfb6ba494eaf146d5d2f284684651ab8970cd3a2292df1964fb881129d4f47d8d5b5070d338892077f3a5d49ac3cef6a95f684160dc6c26c

  • SSDEEP

    24576:n0x0O8kuSKiA+IN4qBI0yfdzcWGR6UK4ldBKJcMuVmDbu+:nzO8TSKrN4qBIN1zc2l0dBKJcZ8u+

Score
10/10
xloaderxredb0arbackdoordiscoveryloaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

b0ar

Decoy

fbadformula.com

appdios.com

guyhoquet-immobilier-drancy.com

pokerwiro.com

maxwellhospitaljaipur.com

88n9.com

bennypc.com

corcoranconsult.com

cuidatusaludcuidatucasa.com

motlakfitnes.com

laurahurricanerelief.com

nostacktofullstack.com

privsec-mail.com

andalusaihealth.com

doosanmodelhouse.com

quickbookaccountingpro.com

falconrysouk.com

vnielvmdqxk538.xyz

asshop.space

mhscdnv1.club

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c

    • Size

      1.2MB

    • MD5

      51f1f9633fda9697a21cfe3803505300

    • SHA1

      f2c28c2fadfa10fbe41789736ef044fcccac9325

    • SHA256

      74037ff6cdc98978d62b5e298fa9f59a52c93186d24e419998b33e6270b8c56c

    • SHA512

      05c2b63e193f34f188dc226013a3366481302302b37c4ac6b2dfebe9b8986dfcc9329f1f528b4c300ac5c83a5d9390ca39f1132ae716f8411880ce41fe711fa5

    • SSDEEP

      24576:v8s2L74wp7Fd0D5wHcgsVPorazZ+Dq9RE7:vb2L7HLM5wHcgkorU+DS

    Score
    10/10
    xloaderxredb0arbackdoordiscoveryloaderpersistencerat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader family

      xloader

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Xloader payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks