General

  • Target

    QUOTATION.exe

  • Size

    1MB

  • Sample

    211001-kz15eabdbr

  • MD5

    4ce1ff3c9b5b16f57513e1c54ee4e96d

  • SHA1

    d024009dbb744ae61815eeb9e0519948b063e059

  • SHA256

    bdf00456287e3b458420249732255abf583ab0d6b5eb263f45d6ff329abdde93

  • SHA512

    f03fa30e8081cbd11d13475641e4bfad6bd0147c670b764346f8c3255fae9992e8d8c82cabc4ce57a58732de1d4ef8a6220a2b71bb6f1ba9d82fb042c23ae619

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

c2ue

C2

http://www.heidevelop.xyz/c2ue/

Decoy

isportdata.com

stellarex.energy

hsucollections.com

menuhaisan.com

joe-tzu.com

lumichargemktg.com

uae.tires

rapidcae.com

softwaresystemsolutions.com

s-galaxy.website

daewon-talks.net

northgamesnetwork.com

catalogue-bouyguestele.com

criativanet.com

theseasonalshift.com

actionfoto.online

openmaildoe.com

trashpenguin.com

ennopure.net

azurermine.com

Targets

    • Target

      QUOTATION.exe

    • Size

      1MB

    • MD5

      4ce1ff3c9b5b16f57513e1c54ee4e96d

    • SHA1

      d024009dbb744ae61815eeb9e0519948b063e059

    • SHA256

      bdf00456287e3b458420249732255abf583ab0d6b5eb263f45d6ff329abdde93

    • SHA512

      f03fa30e8081cbd11d13475641e4bfad6bd0147c670b764346f8c3255fae9992e8d8c82cabc4ce57a58732de1d4ef8a6220a2b71bb6f1ba9d82fb042c23ae619

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

            Execution

              Exfiltration

                Impact

                  Initial Access

                    Lateral Movement

                      Persistence

                        Privilege Escalation