General

  • Target

    PO_9756-NMNBVC.exe

  • Size

    871KB

  • Sample

    210728-dk33gmcd9e

  • MD5

    9a649c1d193d55ef7f66e59b8294f24d

  • SHA1

    e4c00ec807de5111c061ebc5d8421fe0d0114fc8

  • SHA256

    04657288f9e931379d2c526330b23310c8bb26d65a209a2ebca5fb089b91efe3

  • SHA512

    37fec35bf1cdae3560dc6e1503320f628d70f7a701135253412340afb84101f4ed444cb243143febbae6983969c1fe0e7e7a528fcd1aadcb7a8f08150130d4b5

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.bodymoisturizer.online/q4kr/

Decoy

realmodapk.com

hanoharuka.com

shivalikspiritualproducts.com

womenshealthclinincagra.com

racketpark.com

startuporig.com

azkachinas.com

klanblog.com

linuxradio.tools

siteoficial-liquida.com

glsbuyer.com

bestdeez.com

teens2cash.com

valleyviewconstruct.com

myfortniteskins.com

cambecare.com

csec2011.com

idookap.com

warmwallsrecords.com

smartmirror.one

Targets

    • Target

      PO_9756-NMNBVC.exe

    • Size

      871KB

    • MD5

      9a649c1d193d55ef7f66e59b8294f24d

    • SHA1

      e4c00ec807de5111c061ebc5d8421fe0d0114fc8

    • SHA256

      04657288f9e931379d2c526330b23310c8bb26d65a209a2ebca5fb089b91efe3

    • SHA512

      37fec35bf1cdae3560dc6e1503320f628d70f7a701135253412340afb84101f4ed444cb243143febbae6983969c1fe0e7e7a528fcd1aadcb7a8f08150130d4b5

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks