General

  • Target

    QUOTQTION.zip

  • Size

    424KB

  • Sample

    210924-mc171agfdm

  • MD5

    a99b952d10143e1d35d96c6b9cb0d0c8

  • SHA1

    8b93ae5b4a30e11817140014c8519824783657b3

  • SHA256

    c58d4399f56ac84de6e6aead1750f1f533baea7508199955ce74eee2b7ca3eee

  • SHA512

    e6136501128034dc3f242b2d8c339a5694fe14abe51dc2a29240f9050e2b779daaa797ea3e815b491fad6e11627bd223beb1d896a8af438726f839a7aa303f48

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

c2ue

C2

http://www.heidevelop.xyz/c2ue/

Decoy

isportdata.com

stellarex.energy

hsucollections.com

menuhaisan.com

joe-tzu.com

lumichargemktg.com

uae.tires

rapidcae.com

softwaresystemsolutions.com

s-galaxy.website

daewon-talks.net

northgamesnetwork.com

catalogue-bouyguestele.com

criativanet.com

theseasonalshift.com

actionfoto.online

openmaildoe.com

trashpenguin.com

ennopure.net

azurermine.com

Targets

    • Target

      QUOTQTION.exe

    • Size

      866KB

    • MD5

      24736913b455be2ed3d1cc67c767afc4

    • SHA1

      8026db0f265178cf013ac579c1b7267f4014bf2c

    • SHA256

      a109f0b9407728fef1b41d766e8228085ee04661156d84ef543777bf311f450b

    • SHA512

      49dd3e5ecbf6d4cd310a45d0b52e36a363d701f0a9cc14a1d3c103b613eb5a756fdc9ce8b028d69b56c4c8137d29ea3d57865b4ff75dac44bf982e5c80ee56ee

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

            Execution

              Exfiltration

                Impact

                  Initial Access

                    Lateral Movement

                      Persistence

                        Privilege Escalation