General

  • Target

    RFQ_Beijing Chengruisi Manufacturing_pdf.exe

  • Size

    417KB

  • Sample

    210924-n8kqkaghdn

  • MD5

    a30b50f5e2ea1a2d8c6bdf581e97d478

  • SHA1

    9943026649061e28fe7fd626b6d3e1c893131779

  • SHA256

    3dafcb39d7cc251c9a8212a8e745e0d72f2c530bf699a9168a379fa25e36ec38

  • SHA512

    548ca8b3f795c32ff30d4f4810e78c6a0bb2aecf42a4bc56632612b2ab5595d9d4d3fd364b6c9bcca80135f1459f7243edc020a2b61bb3b1bce04d43d79a8088

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

euzn

C2

http://www.heser.net/euzn/

Decoy

235296tyc.com

gold12guide.art

baibuaherb.com

weberwines.tax

chezvitoria.com

aidenb.tech

pitchdeckservice.com

surgeryforfdf.xyz

workunvaccinated.com

hrtaro.com

yourotcs.com

sonimultispecialityclinic.com

consultantadvisors.com

pentesting-consulting.com

dantechs.digital

longshifa.online

taweilai.net

imyusuke.com

cashndashfinancial.com

fasiglimt.quest

Targets

    • Target

      RFQ_Beijing Chengruisi Manufacturing_pdf.exe

    • Size

      417KB

    • MD5

      a30b50f5e2ea1a2d8c6bdf581e97d478

    • SHA1

      9943026649061e28fe7fd626b6d3e1c893131779

    • SHA256

      3dafcb39d7cc251c9a8212a8e745e0d72f2c530bf699a9168a379fa25e36ec38

    • SHA512

      548ca8b3f795c32ff30d4f4810e78c6a0bb2aecf42a4bc56632612b2ab5595d9d4d3fd364b6c9bcca80135f1459f7243edc020a2b61bb3b1bce04d43d79a8088

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks