REE20212110575259OCT.lzh

General
Target

REE20212110575259OCT.lzh

Size

404KB

Sample

211021-pkfx5sacd7

Score
10 /10
MD5

5db43b8c8a1fea81c63ec85f0899d505

SHA1

f39a98fc1598e574a9f105b9b22b6c33315f2098

SHA256

cc92a5217fc8672312221ff0c7e7e24fc466c94e47bd813545839052f4b71a30

SHA512

c2d14cc5332cef854d427360dc2d89a578704fc6372d066f2cd47e899ff8598b737a1be7cc6cfcf0e2d0441e5aee31eb160195fb9faf159b7be4deb12576fe92

Malware Config

Extracted

Family xloader
Version 2.5
Campaign gab8
C2

http://www.purodetalle.com/gab8/

Decoy

amateurfeetworship.com

big-food.biz

metaversevolution.com

profecional-pacasmayo.com

royzoom.com

bekindevolution.com

hokozaki.com

waltersswholesale.com

wayfinderacu.com

schnurrgallery.com

babygearrentals.net

imggtoken.club

24x7x366.com

lakiernictwo.info

les-cours.com

dwticket.com

onarollshades.com

ramireztradepartners.com

safarparfums.com

6ngie.info

hoedetamni.quest

europeangurl.com

sakhakot.com

franciscoalpizar.com

jsyysn.com

goldberg-lighting.com

symbebidas.online

aucoeurducadeau.com

diamondscaterers.com

surswain.quest

gequper.xyz

roytsb.com

332151.com

hienrenow.com

skullother.com

betnubhelp.com

donerightcleaningnation.info

noukou-tonkotsu.xyz

bulkysofthome.com

yuejiayouhua.com

sevillalimpieza.com

involvefinance.com

obz7mo9amu.com

niftyfashionreward.com

refunddngame.com

norllix.com

vergadercentrumdji.com

1006e.com

boraeresici.com

partnerbebefits.com

Targets
Target

REE20212110575259OCT.exe

MD5

9c00fc940483cff2a0f3f619db16ad54

Filesize

498KB

Score
10/10
SHA1

6f9c746d9cfb4e0bbf829783a82b883f7317b16b

SHA256

8a54e41751369783c64f56f30133b985933092324e9b2dad025641d23643280c

SHA512

30451538f9ed65159280a168c711056d7bc0776d0c30f1c82bfa4dfacfe4373c01f503004f1eacc1a690104f99bf7e78c61c5436261c0813508467ff5dd4ff21

Tags

Signatures

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • Xloader Payload

    Tags

  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Deletes itself

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral1

                    10/10

                    behavioral2

                    10/10

                    behavioral3

                    10/10

                    behavioral5

                    10/10

                    behavioral6

                    10/10

                    behavioral7

                    10/10