General

  • Target

    po-1.exe

  • Size

    854KB

  • Sample

    210906-p6zblsecgk

  • MD5

    991d571971fc0fe01211ef089fa905cc

  • SHA1

    a5415e363e44e6586ed8f36a73ce2eb5bf4ed4fd

  • SHA256

    f1619d4c36e975b2cc880b6a72db99282df847ebb72dc6446950dbcbf4d0f487

  • SHA512

    c71e2498e6c252ccb10f96499258e28878e39c873025123815eb9565bcad101d90b7b51e74bcaa58926b426f4618fb2fb6db90b93bfb4508f903e43475edbee5

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

k8b5

C2

http://www.chongzhi365.com/k8b5/

Decoy

sardamedicals.com

reelectkendavis4council.com

coreconsultation.com

fajarazhary.com

mybitearner.com

brightpet.info

voicewithchoice.com

bailbondscompany.xyz

7133333333.com

delights.info

gawlvegdr.icu

sdqhpm.com

we2savvyok.com

primallifeathlete.com

gdsinglecell.com

isokineticmachines.com

smartneckrelax.com

gardenvintage.com

hiphopvolume.com

medicapoint.com

Targets

    • Target

      po-1.exe

    • Size

      854KB

    • MD5

      991d571971fc0fe01211ef089fa905cc

    • SHA1

      a5415e363e44e6586ed8f36a73ce2eb5bf4ed4fd

    • SHA256

      f1619d4c36e975b2cc880b6a72db99282df847ebb72dc6446950dbcbf4d0f487

    • SHA512

      c71e2498e6c252ccb10f96499258e28878e39c873025123815eb9565bcad101d90b7b51e74bcaa58926b426f4618fb2fb6db90b93bfb4508f903e43475edbee5

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Discovery

System Information Discovery

1
T1082

Tasks