Resubmissions

21-10-2021 12:24

211021-pk26daace2 10

21-10-2021 09:57

211021-lyxk9sahgp 10

General

  • Target

    51cd4ea4c20552f51824b13af3a93360

  • Size

    847KB

  • Sample

    211021-lyxk9sahgp

  • MD5

    51cd4ea4c20552f51824b13af3a93360

  • SHA1

    1f85673268160d356cc66056e18e721646a51034

  • SHA256

    891ff9447dec210b5897080666b8281d7387206c14dba7587465e16bd2efa117

  • SHA512

    add0bc6bec599694cdd9c19101edf0b66a914aa4198ed9f10d23e4c14b8bf2708c992917326974007c59c4e6e5c49063c0e1ade25556cdc19ae9dc1a8c79fbcf

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

sb6n

C2

http://www.best5amazon.com/sb6n/

Decoy

bogosamba.com

inmobiliariapuertalavilla.com

nopressurewellness.com

hairshopamity.com

epicmoments360.com

tutorgpa.com

fucibou.xyz

135631.com

portraydashcam.com

raqsarabia.com

okantis.net

vongquaykimcuongfreefire.online

prodom.online

5537sbishop.info

lisakenneyinc.com

fivetime.xyz

borzv.com

joungla.com

mas-urbano.com

sjczyw.com

Targets

    • Target

      51cd4ea4c20552f51824b13af3a93360

    • Size

      847KB

    • MD5

      51cd4ea4c20552f51824b13af3a93360

    • SHA1

      1f85673268160d356cc66056e18e721646a51034

    • SHA256

      891ff9447dec210b5897080666b8281d7387206c14dba7587465e16bd2efa117

    • SHA512

      add0bc6bec599694cdd9c19101edf0b66a914aa4198ed9f10d23e4c14b8bf2708c992917326974007c59c4e6e5c49063c0e1ade25556cdc19ae9dc1a8c79fbcf

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Tasks