371c76d36256463a54d34e12d6741720

General
Target

371c76d36256463a54d34e12d6741720

Size

251KB

Sample

211021-pkp6tabbdj

Score
10 /10
MD5

371c76d36256463a54d34e12d6741720

SHA1

41843093a5b3a7f5712abd30937004b203851252

SHA256

4de35ea5d1f54708e27e4806246a6c9d9b2217cfef24c7b2321a8f6026c5d98c

SHA512

f2e87fb4628a8b413ced0d92bcedafc4667e8655ac2c13fa15b7f806ddd19daec919003da80f4157f83e5a24b24a4ccac98c2dfd351227b6a549443c8e7c5759

Malware Config

Extracted

Family xloader
Version 2.5
Campaign m5cw
C2

http://www.art-for-a-cause.com/m5cw/

Decoy

stolpfabriken.com

aromaessentialco.com

rmcclaincpa.com

wuruixin.com

sidhyanticlasses.com

horilka.store

organic-outlaws.com

customsoftwarelogistics.com

cheryltesting.com

thecompacthomegym.com

the22yards.club

quickloanprovidersservices.com

grippyent.com

guard-usa.com

agircredit.com

classificationmetallurgie.com

quizzesandcode.com

catdanos.com

8676789.rest

gotbestshavlngplansforyou.com

supboarddesign.com

byrdemailplans.xyz

anngola.com

milelefoods.com

runawaypklyau.xyz

redesignyourpain.com

yourtv2ship.info

jxypc.com

lerjighjuij.store

spiruline-shop.com

qarziba-therapy.care

hardayumangosteen.com

freevolttech.com

xiongbaosp.xyz

balanzasdeplataforma.com

johnathanmanney.com

estcequecestgreen.com

france-temps-partage.net

fbiicrc.com

privateairjets.com

xn--5m4a23skoc.group

andrewmurnane.com

exitin90.com

depofmvz.com

bosphorus.website

aragon.store

nrnmuhendislik.com

thesharingcorporation.com

tccraft.online

carjabber.com

Targets
Target

371c76d36256463a54d34e12d6741720

MD5

371c76d36256463a54d34e12d6741720

Filesize

251KB

Score
10 /10
SHA1

41843093a5b3a7f5712abd30937004b203851252

SHA256

4de35ea5d1f54708e27e4806246a6c9d9b2217cfef24c7b2321a8f6026c5d98c

SHA512

f2e87fb4628a8b413ced0d92bcedafc4667e8655ac2c13fa15b7f806ddd19daec919003da80f4157f83e5a24b24a4ccac98c2dfd351227b6a549443c8e7c5759

Tags

Signatures

  • Registers COM server for autorun

    Tags

    TTPs

    Registry Run Keys / Startup Folder
  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • Xloader Payload

    Tags

  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Loads dropped DLL

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Tasks

                    static1

                    1/10

                    behavioral1

                    10/10

                    behavioral2

                    10/10

                    behavioral3

                    10/10

                    behavioral6

                    10/10