General

  • Target

    DOC.r15

  • Size

    394KB

  • Sample

    210916-nxx7hsgbal

  • MD5

    f0bfd4b4943114598facebab05709f76

  • SHA1

    a4334f218a0381e6da71acab90d1bb1ae9394c33

  • SHA256

    4d0bc62fb924d6a3ba487e61f69d9cd71c3e231ace06a3c1ce151c27a55d7a3c

  • SHA512

    f183d860becb6ce34394f7a2b0e1d4b2dea858b55b3d277c02fc9277ea1a17d7782a2ee84f0f9d35fc306cc685372dc7ff21f70ea42149519812de68df5835e9

Malware Config

Extracted

Family

xloader

Version

2.4

Campaign

n58i

C2

http://www.nordicbatterybelt.net/n58i/

Decoy

southerncircumstance.com

mcsasco.com

ifbrick.com

societe-anonyme.net

bantank.xyz

dogecoin.beauty

aboutacoffee.com

babalandlordrealestate.com

tintgta.com

integrity.directory

parwnr.icu

poltishof.online

stayandstyle.com

ickjeame.xyz

currentmotors.ca

pond.fund

petrosterzis.com

deadbydaylightpoints.com

hotel-balzac.paris

focusmaintainance.com

Targets

    • Target

      DOC.exe

    • Size

      463KB

    • MD5

      e2e027360aa11a532949fb6c013009d5

    • SHA1

      2488a833ee33ea4ce3ff0e5e7615e35d647816e2

    • SHA256

      13c2ff62d1e29d6e88c828851f842b17acb6293da92bdf5223e87a67bf00ed31

    • SHA512

      240a63a3c245d1dd963cc33b290796e646276f9488692037f26009efde4ad39b9c6af6d0c4d21ca19b5ade4a677b4b2d7e83003a519c2dbfbf408c086ca0f04a

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks