Overview

overview

10

Static

static

3

Documents_...MT.exe

windows7-x64

10

Documents_...MT.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Documents_pdf03243232 SHPMT.exe

  • Size

    975KB

  • Sample

    250206-hq291aypan

  • MD5

    7e31f4f040cec802a5608cdd9b356f5c

  • SHA1

    e1b37eaba8fd77fc8aabbc5dfe2bc7b06943ef98

  • SHA256

    64b9f04e500e377972f23c923e678d2d3ec4aecc42d0634de4e09570b1d58d35

  • SHA512

    705a3c7b0b3d0f61dc3fb80d34d3eda60e901ce8b7de6a60bfa913397bb75ddf602ba2c0219e0aadadfcd95ce5bdc6ad7465834722d4a975494fb32f8e8042ee

  • SSDEEP

    24576:vfVoFufS+s4AG5pZxln2hJoGlIF22Gk2PSGQOs8D:HaFurAGpZxd+tlIF2m2aGd

Score
10/10
xloadern8itdefense_evasiondiscoveryexecutionloaderrat

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

n8it

Decoy

360-nft.com

reversedwarbler.com

corefina.com

pettigestudio.com

bienvenidomiami.com

directoriobid.com

ydshine.com

xuemengyc.com

crossfitlaquila.com

strongdigits.com

goldendtatedermatology.com

onlinecryptoarbitrage.com

ziyuechloezhang.com

khaijd.com

pickleballgiant.info

shopcycles3.com

dynamicmetalbuildings.com

vandorainvestmentpartners.com

syzbf15.xyz

directbizlending.xyz

Targets

    • Target

      Documents_pdf03243232 SHPMT.exe

    • Size

      975KB

    • MD5

      7e31f4f040cec802a5608cdd9b356f5c

    • SHA1

      e1b37eaba8fd77fc8aabbc5dfe2bc7b06943ef98

    • SHA256

      64b9f04e500e377972f23c923e678d2d3ec4aecc42d0634de4e09570b1d58d35

    • SHA512

      705a3c7b0b3d0f61dc3fb80d34d3eda60e901ce8b7de6a60bfa913397bb75ddf602ba2c0219e0aadadfcd95ce5bdc6ad7465834722d4a975494fb32f8e8042ee

    • SSDEEP

      24576:vfVoFufS+s4AG5pZxln2hJoGlIF22Gk2PSGQOs8D:HaFurAGpZxd+tlIF2m2aGd

    Score
    10/10
    xloadern8itdefense_evasiondiscoveryexecutionloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader family

      xloader

    • Looks for VirtualBox Guest Additions in registry

      defense_evasion

    • Xloader payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Looks for VMWare Tools registry key

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks