General

  • Target

    SOA.exe

  • Size

    896KB

  • Sample

    210727-qplwfllkga

  • MD5

    23d890e7a25c8a51bfcec1939a20a7e9

  • SHA1

    0193e5561521c2beac81ef0e3141fe0f93f7e9b7

  • SHA256

    ddc1d5dd3d2d2a64d1d3e7586023715a1da59c30af9682843d326e0f16f12632

  • SHA512

    fcb819f6537a4829b2a5d3e605370c6991bfbd189abcc8cc786ef446060e5ced93da6f38a2b4dd6477ac6ad5712ece89bae495bbfc52debb1889f0f4a69c6c8e

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.cannabisoutletonline.com/n86i/

Decoy

purpose-guide.com

averyshairco.com

blockchain-365.com

jismlmuu.icu

famosobambino.com

firstclasstruckingny.com

oracleoftheinternet.com

alliesdispatchlogistics.com

salten2.com

bfactivator.com

jgc40.com

nanninghao.com

eigorilla.info

predies.com

dmzg-cn.net

registratetexas.com

maxifina-aprovado.com

mdqqy-dliv.xyz

annurenterprise.com

dongtrunghathaovanphuc.com

Targets

    • Target

      SOA.exe

    • Size

      896KB

    • MD5

      23d890e7a25c8a51bfcec1939a20a7e9

    • SHA1

      0193e5561521c2beac81ef0e3141fe0f93f7e9b7

    • SHA256

      ddc1d5dd3d2d2a64d1d3e7586023715a1da59c30af9682843d326e0f16f12632

    • SHA512

      fcb819f6537a4829b2a5d3e605370c6991bfbd189abcc8cc786ef446060e5ced93da6f38a2b4dd6477ac6ad5712ece89bae495bbfc52debb1889f0f4a69c6c8e

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks