General

  • Target

    0ictba3ik3lrJnW.exe

  • Size

    859KB

  • Sample

    210727-s1tr394gtn

  • MD5

    6e77fe0eb26c4834a5411e66a78a3e69

  • SHA1

    5c9768be8ed60c6190e68deeebc5f3c1cdbf531a

  • SHA256

    fbeb9b62ff737a87fe38709d075f3fee34502b01262480cf5a014efaab4f7075

  • SHA512

    dc466d692eee548dbcc161904527a27b2a80ebc0ae4a366a8d08a21ec627fd6ef127db3aaf0b1ec567e7ac0a5aae71374a285d1aba5cb5bb59d24d3d65a51eef

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.hokutiki.com/cogt/

Decoy

britechsoft.com

vitortedeschi.com

nittwittridge.net

nblianger.com

fs133.net

theprairiesky.com

mylexinova.com

loveiscomingbook.com

thehouseoflightning.com

gulbahorfoodblogger.online

exploringanddiscovering.com

edyscleaning.com

jihalbroskorea.com

sammys-cafe.com

smallbluer.com

voglioincontri.com

aaareplicamall.com

empireofglam.com

4hu5555.com

cookiescalofornia.com

Targets

    • Target

      0ictba3ik3lrJnW.exe

    • Size

      859KB

    • MD5

      6e77fe0eb26c4834a5411e66a78a3e69

    • SHA1

      5c9768be8ed60c6190e68deeebc5f3c1cdbf531a

    • SHA256

      fbeb9b62ff737a87fe38709d075f3fee34502b01262480cf5a014efaab4f7075

    • SHA512

      dc466d692eee548dbcc161904527a27b2a80ebc0ae4a366a8d08a21ec627fd6ef127db3aaf0b1ec567e7ac0a5aae71374a285d1aba5cb5bb59d24d3d65a51eef

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Blocklisted process makes network request

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks