General

  • Target

    PURCHASE ORDER.exe

  • Size

    259KB

  • Sample

    210503-67nlechn96

  • MD5

    546df2d5873be9fa50c683930a40905c

  • SHA1

    3455d5e3a61dd5192051227ab984a3fc992717a0

  • SHA256

    321bb25b6b169c5cb108a2b1a16f5fb82307059d5876201e19cc93bf425d2616

  • SHA512

    1a81f73ed431ab02697ab34772ac2bcada9e90d0fa6c8d22e5b66940e64871428f3eb9b9d3d8889e1b1f924e53933bebf7eb748bb4c9b708b701f83a1a6ade82

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.onyxcomputing.com/u8nw/

Decoy

constructionjadams.com

organicwellnessfarm.com

beautiful.tours

medvows.com

foxparanormal.com

fsmxmc.com

graniterealestategroup.net

qgi1.com

astrologicsolutions.com

rafbar.com

bastiontools.net

emotist.com

stacyleets.com

bloodtypealpha.com

healtybenenfitsplus.com

vavadadoa3.com

chefbenhk.com

dotgz.com

xn--z4qm188e645c.com

ethyi.com

Targets

    • Target

      PURCHASE ORDER.exe

    • Size

      259KB

    • MD5

      546df2d5873be9fa50c683930a40905c

    • SHA1

      3455d5e3a61dd5192051227ab984a3fc992717a0

    • SHA256

      321bb25b6b169c5cb108a2b1a16f5fb82307059d5876201e19cc93bf425d2616

    • SHA512

      1a81f73ed431ab02697ab34772ac2bcada9e90d0fa6c8d22e5b66940e64871428f3eb9b9d3d8889e1b1f924e53933bebf7eb748bb4c9b708b701f83a1a6ade82

    Score
    10/10
    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks