Resubmissions

21-10-2021 12:23

211021-pkzp9aacd9 10

21-10-2021 09:57

211021-lyxk9sahgr 10

General

  • Target

    9aaf287388698afd5ef8bfeb1fb8ee24

  • Size

    23KB

  • Sample

    211021-lyxk9sahgr

  • MD5

    9aaf287388698afd5ef8bfeb1fb8ee24

  • SHA1

    97c0f28698ddc4e9b512a37f0230de3846922649

  • SHA256

    c01942eeca190f7672db0e7e3322a21b52c66f669b41f1dd0ef852c8dd003cb3

  • SHA512

    e634eea49486d6cc8a0f3227b674184eff9ba57afa1a26f708687ef92f21d4ac979be19fad65c4430f4fb31e9746b286cad83ed3c1f668823bc66667e6c8dfe3

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mxnu

C2

http://www.naplesconciergerealty.com/mxnu/

Decoy

insightmyhome.com

gabriellamaxey.com

029atk.xyz

marshconstructions.com

technichoffghosts.com

blue-ivy-boutique-au.com

1sunsetgroup.com

elfkuhnispb.store

caoliudh.club

verifiedpaypal.net

jellyice-tr.com

gatescres.com

bloomberq.online

crystaltopagent.net

uggs-line.com

ecommerceplatform.xyz

historyofcambridge.com

sattaking-gaziabad.xyz

digisor.com

beachpawsmobilegrooming.com

Targets

    • Target

      9aaf287388698afd5ef8bfeb1fb8ee24

    • Size

      23KB

    • MD5

      9aaf287388698afd5ef8bfeb1fb8ee24

    • SHA1

      97c0f28698ddc4e9b512a37f0230de3846922649

    • SHA256

      c01942eeca190f7672db0e7e3322a21b52c66f669b41f1dd0ef852c8dd003cb3

    • SHA512

      e634eea49486d6cc8a0f3227b674184eff9ba57afa1a26f708687ef92f21d4ac979be19fad65c4430f4fb31e9746b286cad83ed3c1f668823bc66667e6c8dfe3

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks