Overview

overview

10

Static

static

3

RFQ0473838383.exe

windows7-x64

10

RFQ0473838383.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6219d3d351b074f3015edd7e1d9a96a7a6b969deb1c8642c1e5f5f99c73af6a8

  • Size

    415KB

  • Sample

    241121-zeg85a1rdp

  • MD5

    4a2cf5e45533159e0d55ee15b9192a1e

  • SHA1

    d0ce4d3cf0fc0a4797d3fee0222512de1589f755

  • SHA256

    6219d3d351b074f3015edd7e1d9a96a7a6b969deb1c8642c1e5f5f99c73af6a8

  • SHA512

    e16dfd5cc4e5425048e1727769c0f7fba9f2f9a6de3f7a838d4fae60a1658f0eaca8362d114b04a6b01791c88b7f27784395be293de8eb9c0dc2ac8c31db8729

  • SSDEEP

    12288:HNtQgAot5jVdtxg3LsFwUuQybu10Qd8EuBTiFkQ4KOpAR:H4SleLKiJC10u8E0q1OpAR

Score
10/10
xloaderiaopdiscoveryevasionexecutionloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

iaop

Decoy

oosakichi.com

group1beadles.com

navegadorexclusivo.digital

awefca.xyz

strakerwilliams.com

stone-img.com

radialodge.com

tequesquitengo.net

humanegardens.com

rubberyporqjp.xyz

farazkhak.com

gfsexpornvideos.com

stealth-carrier.com

hemtpi.xyz

tygcj.com

agileiance.com

ioan316.com

kitchendesigns.xyz

shannacarolphotography.com

oheytech88.net

Targets

    • Target

      RFQ0473838383.exe

    • Size

      628KB

    • MD5

      315b261c58696e588523ef02adefb688

    • SHA1

      ba05bf49eddd3525b6bdf3b6700716bac07340bf

    • SHA256

      e9a323cf1693e3ade91d24bd4cb4e9f976f905d9fbcd695dc99f6e8005b9680c

    • SHA512

      10cbc5f94941aa5da2d277177176bbdf21b118b77ebb78baf9a9f14859ce5ae7a0bb7560b2c76900723a96c839c72ee937dfe1e7fad6f65bb0b72606c8ffef52

    • SSDEEP

      12288:XODQzJ40CAH7yWEv85imatc0W75RVdtTg3LEFaUuQcbuv/VCk2AlCcasUo:+8Fd7yNDttc0WrlsLicdCv/Vf2HcasU

    Score
    10/10
    xloaderiaopdiscoveryevasionexecutionloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader family

      xloader

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Xloader payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks