General

  • Target

    DOC.r15

  • Size

    406KB

  • Sample

    210917-jxktzahhgl

  • MD5

    9b29df2a9cccb311c1e78314f3790158

  • SHA1

    77bbef1402bb0eb18d5899dc6988f7fdec86f8c9

  • SHA256

    42dacd96a068e6abe4d5a8ad49eb9ce09f81050257c2b75f08f3b1c43c7196d3

  • SHA512

    2861f1af28fa71fe7cd267b17932c6264674ef7a65a2b993c0cc267dbe46698553959b8925d6e7a7b7829357dce1900a514577b0e34c982f2318e703a93d1659

Malware Config

Extracted

Family

xloader

Version

2.4

Campaign

n58i

C2

http://www.nordicbatterybelt.net/n58i/

Decoy

southerncircumstance.com

mcsasco.com

ifbrick.com

societe-anonyme.net

bantank.xyz

dogecoin.beauty

aboutacoffee.com

babalandlordrealestate.com

tintgta.com

integrity.directory

parwnr.icu

poltishof.online

stayandstyle.com

ickjeame.xyz

currentmotors.ca

pond.fund

petrosterzis.com

deadbydaylightpoints.com

hotel-balzac.paris

focusmaintainance.com

Targets

    • Target

      DOC.exe

    • Size

      480KB

    • MD5

      66fc712a2dc1321fa0fc6bdf8bcd82a5

    • SHA1

      7870ac22e3c8233430e0c5df62c72397f29e1294

    • SHA256

      b092672d7f36d3deaab664c0a562b055f9cee3f247328e639aca58f025f979ca

    • SHA512

      d0c101943eb61750234a838e1c5b2571996c64c5f0800272656d74e79dd60e9737e3c5326978ff6dacdd32bde71b88b46e0b4b9e87cde7e09f1246bb3667e7d7

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks