General

  • Target

    PAYMENT COPY.zip

  • Size

    444KB

  • Sample

    210923-pddjfaebhl

  • MD5

    1b3d0b6e90339282abbc9e22c8967488

  • SHA1

    b69535c4f680a3c8cb530faee220ad5ce72337a3

  • SHA256

    618858f58c824dbace36561099a951d5cec14deb2919490f01ac4755a548c63e

  • SHA512

    65c4147457d34da86420c6d500ed7f5e2670b0eb2dc10d8acd74e44e14e152afc6a88ea212dead44fc0780865037e4ecd48c36e41c51012bc6263467b68b742f

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

c2ue

C2

http://www.heidevelop.xyz/c2ue/

Decoy

isportdata.com

stellarex.energy

hsucollections.com

menuhaisan.com

joe-tzu.com

lumichargemktg.com

uae.tires

rapidcae.com

softwaresystemsolutions.com

s-galaxy.website

daewon-talks.net

northgamesnetwork.com

catalogue-bouyguestele.com

criativanet.com

theseasonalshift.com

actionfoto.online

openmaildoe.com

trashpenguin.com

ennopure.net

azurermine.com

Targets

    • Target

      PAYMENT COPY.exe

    • Size

      885KB

    • MD5

      2fdc9cdf35cbdd01b4f61eaa4d8d38a6

    • SHA1

      a59e65c3ecc0c3f586bece4db3a085734c3e4da5

    • SHA256

      c7e4871bd8e22a0dfd8116206cff6631ca4a91857df75017b890768da0730041

    • SHA512

      122adec9d2185d0327f4d07b466e71a55f2689216009325aa5ffd62eb8247654a8dd659031cf07197151f1c17e654a8e4f3e343a04ad61efd5def1340bf97201

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

            Execution

              Exfiltration

                Impact

                  Initial Access

                    Lateral Movement

                      Persistence

                        Privilege Escalation