General

  • Target

    a1118499f65450cc2df866df31b8765821acbc8181d0276bf111e2eac75c662b

  • Size

    1.2MB

  • Sample

    210727-7vl1lkvb4x

  • MD5

    b7ff6298147bff5315945653bb0f0ae8

  • SHA1

    d702f510d121df7b89b6ca6a251ff1f307ba8a13

  • SHA256

    a1118499f65450cc2df866df31b8765821acbc8181d0276bf111e2eac75c662b

  • SHA512

    10672b4e5096a41c6c8e868bd46287a2c41e3e6d49f7595d41240e0abfb35ee6b814f4603ecdc1530862843aae2fc7cc611586bfe7121438757ee5f9a4d99bba

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.northriverlawns.com/q3t0/

Decoy

xn--n8jh0ox33v9th.club

realestateactiongroup.com

theblackcottage.com

iptvfresh.com

firstseviceresidential.com

enhancemarketingsolutions.com

matchawali.com

lockedselfstorage.com

laurencervera.com

waffleicionados.com

ryanplumbingandmechanical.com

mahalabartlemathiassen.com

enter-flowers.com

berlinclick.com

pop.direct

dangeranimalsfounded.press

sweetwhiskerscreamery.com

acaciamultimedia.com

thejoyfulmark.com

bspceducation.com

Targets

    • Target

      COPY OF REMITTANCE/COPY OF REMITTANCE APPROVAL/COPY OF REMITTANCE/Pdf-3456765439878991.exe

    • Size

      407KB

    • MD5

      d3b4611df87903b085c123e8506282f7

    • SHA1

      fdb994c236e056109d33c1c7b303040e026e08fd

    • SHA256

      e03fcee44acd1fd2bb0104d69fce6a65e12cd0612a6e75af548d60bb5ead38f9

    • SHA512

      4c60d5d03d7a9b7ff806ee98fc8d4d7973b68b60d6d4eb5fb0d5dace2d68e5848ef4f544b35c48c889a944b90a7f44e2d8d7b403137178073f935f17c889893e

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Deletes itself

    • Suspicious use of SetThreadContext

    • Target

      COPY OF REMITTANCE/COPY OF REMITTANCE APPROVAL/COPY OF REMITTANCE/Pdf-3456765439878992.exe

    • Size

      652KB

    • MD5

      c613f4671dfe8acbc6afacf94e3eb36a

    • SHA1

      4dc985aa655283373b5befbee553bd62ba0656d5

    • SHA256

      1cb63340845e605de64b5d79855ad77e8a5668a06325e8b549c095cbedeb7947

    • SHA512

      6d1d7a622c0cadce6092d976194acc3bc0d33ff3a9e5ac65232fc733f6d9ae9dc33bc869095daef74ed6c3083ef30dffa6942f328e56aa6375f248e3dd4e4f97

    Score
    1/10
    • Target

      COPY OF REMITTANCE/COPY OF REMITTANCE APPROVAL/COPY OF REMITTANCE/Pdf-3456765439878997.exe

    • Size

      462KB

    • MD5

      35e0f32c59d02709b50253b25992e692

    • SHA1

      b6ccb6df7aff509741012d01ff4c913e33ace7e6

    • SHA256

      94dad2c59f529054210d87908a8dc098157ce995ecdf315f98160c538baaf662

    • SHA512

      cb733d1c2721347682ed904d66eb30c15fbd06dce679eb1b79f39cb3b0bfec88badafa4a3feb1c978b3c7a5a679a175a4d4d0b1f02d8152081763691d19d181e

    Score
    6/10
    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks