9aaf287388698afd5ef8bfeb1fb8ee24

General
Target

9aaf287388698afd5ef8bfeb1fb8ee24

Size

23KB

Sample

211021-pkzp9aacd9

Score
10 /10
MD5

9aaf287388698afd5ef8bfeb1fb8ee24

SHA1

97c0f28698ddc4e9b512a37f0230de3846922649

SHA256

c01942eeca190f7672db0e7e3322a21b52c66f669b41f1dd0ef852c8dd003cb3

SHA512

e634eea49486d6cc8a0f3227b674184eff9ba57afa1a26f708687ef92f21d4ac979be19fad65c4430f4fb31e9746b286cad83ed3c1f668823bc66667e6c8dfe3

Malware Config

Extracted

Family xloader
Version 2.5
Campaign mxnu
C2

http://www.naplesconciergerealty.com/mxnu/

Decoy

insightmyhome.com

gabriellamaxey.com

029atk.xyz

marshconstructions.com

technichoffghosts.com

blue-ivy-boutique-au.com

1sunsetgroup.com

elfkuhnispb.store

caoliudh.club

verifiedpaypal.net

jellyice-tr.com

gatescres.com

bloomberq.online

crystaltopagent.net

uggs-line.com

ecommerceplatform.xyz

historyofcambridge.com

sattaking-gaziabad.xyz

digisor.com

beachpawsmobilegrooming.com

whitebot.xyz

zacky6.online

qlfa8gzk8f.com

scottjasonfowler.com

influxair.com

desongli.com

xn--w7uy63f0ne2sj.com

pinup722bk.com

haohuatour.com

dharmathinkural.com

hanjyu.com

tbrhc.com

clarityflux.com

meltonandcompany.com

revgeek.com

onehigh.club

closetu.com

yama-nkok.com

brandonhistoryandinfo.com

funkidsroomdecor.com

epilasyonmerkeziankara.com

265411.com

watch12.online

dealsbonaza.com

gold2guide.art

tomclark.online

877961.com

washingtonboatrentals.com

promovart.com

megapollice.online

Targets
Target

9aaf287388698afd5ef8bfeb1fb8ee24

MD5

9aaf287388698afd5ef8bfeb1fb8ee24

Filesize

23KB

Score
10/10
SHA1

97c0f28698ddc4e9b512a37f0230de3846922649

SHA256

c01942eeca190f7672db0e7e3322a21b52c66f669b41f1dd0ef852c8dd003cb3

SHA512

e634eea49486d6cc8a0f3227b674184eff9ba57afa1a26f708687ef92f21d4ac979be19fad65c4430f4fb31e9746b286cad83ed3c1f668823bc66667e6c8dfe3

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • Xloader Payload

    Tags

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Tasks

                  static1

                  behavioral2

                  1/10