General

  • Target

    QUOTE_PRICE_REQUEST.rar

  • Size

    238KB

  • Sample

    210929-dn32asddb3

  • MD5

    1115086cce9c56c06e96705e77d03987

  • SHA1

    29260bee8113b346134a034c9cfa766b52c02e6d

  • SHA256

    a680711b06aea48f7ad417905cd5ea531e15f82d8881409bd72efb470dea06cf

  • SHA512

    963b89f733c279872103f5acf4f5f03bb9dfc12a49786455b44fff74b2cbae26a489c9dc615c131f64dc9dfd55d77977542dd350c0a5d65e6496e7a5a9551ef0

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m6rs

C2

http://www.litediv.com/m6rs/

Decoy

globalsovereignbank.com

ktnrape.xyz

churchybulletin.com

ddyla.com

imatge.cat

iwholesalestore.com

cultivapro.club

ibcfcl.com

refurbisheddildo.com

killerinktnpasumo4.xyz

mdphotoart.com

smi-ity.com

stanprolearningcenter.com

companyintelapp.com

tacticarc.com

soolls.com

gra68.net

cedricettori.digital

mossobuy.com

way2liv.com

Targets

    • Target

      QUOTE_PRICE_REQUEST.exe

    • Size

      252KB

    • MD5

      48043c9a21d0547478331c1613660595

    • SHA1

      9985a65e0aa690308454632223393d8d18a1c744

    • SHA256

      75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6

    • SHA512

      408613c89266eedf165e465e6021880cb4e2db943bec88d068db954ee23f80b55445fd9fd66f42f08924a93fa11f25e343c8f654c7cc2918efa09b00570294db

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Tasks