General

  • Target

    DHL AWB# 4AB19037XXX.pdf.exe

  • Size

    11KB

  • Sample

    210927-v6m68sheh5

  • MD5

    690684b6b6a432ef5f8b34b67653d4be

  • SHA1

    34b072cdd785e0be9bf9717707a72c122ebf8e93

  • SHA256

    2ea667119c0aeda764dcb53a2adf480a26985bfc682949d0fb0c02d266342c68

  • SHA512

    b074acee0f6505a1c179af3149bc9146719b0df0bf6f0efa668d611ff388dc36f5cd7ed3c7c8a98317895ef716818ec0c3841ccff96aba0ba5ce8da15c0c6eb5

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

o4um

C2

http://www.dependablelawnsnow.com/o4um/

Decoy

kagami-belt.com

k7e.xyz

slowcontentmarketing.com

nativeamericannurse.com

stadtquartier.xyz

vietlinkmart.com

numisme.xyz

lypp-sh.com

walkerwaughray.com

homerightsolutions.com

vpdd.top

857741.com

informednewsreader.com

misachoavien.com

aslanrefinedhomes.com

bjhaitaoshop.com

lb-fo.com

shadedfaetattoos.com

tallulahapp.com

amhonlinemarketing.com

Targets

    • Target

      DHL AWB# 4AB19037XXX.pdf.exe

    • Size

      11KB

    • MD5

      690684b6b6a432ef5f8b34b67653d4be

    • SHA1

      34b072cdd785e0be9bf9717707a72c122ebf8e93

    • SHA256

      2ea667119c0aeda764dcb53a2adf480a26985bfc682949d0fb0c02d266342c68

    • SHA512

      b074acee0f6505a1c179af3149bc9146719b0df0bf6f0efa668d611ff388dc36f5cd7ed3c7c8a98317895ef716818ec0c3841ccff96aba0ba5ce8da15c0c6eb5

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Downloads MZ/PE file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks