General

  • Target

    QUOTATION '.zip

  • Size

    444KB

  • Sample

    210924-jcrrsagce4

  • MD5

    5ca2181605f785fe1e1b3e34cf0d7cbe

  • SHA1

    f4229cc1314c3a2a823d218b1570878af3a834f6

  • SHA256

    769a104eb70d58e33f4d6ba232e5c179db1618604e62b31ceebdaf1dcae47b40

  • SHA512

    689f8524ef033645226e7aa8e4bc9f79c05e73a6d7be8fd2bd6fc603c3df73ba15a506cf7f833483908332edc1fa3f9f2b70a560b2993567ffb5cf2fa4ad1f99

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

c2ue

C2

http://www.heidevelop.xyz/c2ue/

Decoy

isportdata.com

stellarex.energy

hsucollections.com

menuhaisan.com

joe-tzu.com

lumichargemktg.com

uae.tires

rapidcae.com

softwaresystemsolutions.com

s-galaxy.website

daewon-talks.net

northgamesnetwork.com

catalogue-bouyguestele.com

criativanet.com

theseasonalshift.com

actionfoto.online

openmaildoe.com

trashpenguin.com

ennopure.net

azurermine.com

Targets

    • Target

      QUOTATION '.exe

    • Size

      885KB

    • MD5

      2fdc9cdf35cbdd01b4f61eaa4d8d38a6

    • SHA1

      a59e65c3ecc0c3f586bece4db3a085734c3e4da5

    • SHA256

      c7e4871bd8e22a0dfd8116206cff6631ca4a91857df75017b890768da0730041

    • SHA512

      122adec9d2185d0327f4d07b466e71a55f2689216009325aa5ffd62eb8247654a8dd659031cf07197151f1c17e654a8e4f3e343a04ad61efd5def1340bf97201

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Privilege Escalation