General

  • Target

    deac43fe9aefbcd9c0cc9366f8e7bb3d.exe

  • Size

    878KB

  • Sample

    211028-ta4cxagfbn

  • MD5

    deac43fe9aefbcd9c0cc9366f8e7bb3d

  • SHA1

    a3bfeef6b874d17f200d2a252e7c5105085998ac

  • SHA256

    c5cc26741a66e28959229d6bfe5631990e7404561731ac4def76f0fb70a43475

  • SHA512

    27d83316b1a66edf17ef7f885e2c04af52584cddf0e01e13b7c71c3448d814566f3549ea983be676057f731dd021109e287b04352b5c5734e5496a41d2c84e42

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

upi8

C2

http://www.dfwbcs.com/upi8/

Decoy

portavella.net

wraphollywood.com

uodpik.website

1h30m.online

taziyesayfalari.net

bigredtrucking.net

thr33h3ad3ddragon.art

magentavar.com

crowliz.net

italianexpresshouston.com

laminaparfum.com

xn--espaol101-o6a.online

orderonlinegift.com

fittuning.com

jurisligne.com

palmbeachdb.com

vatikanlottery.com

worldtravelcostarica.com

treeplantco.com

veloci-cloud.com

Targets

    • Target

      deac43fe9aefbcd9c0cc9366f8e7bb3d.exe

    • Size

      878KB

    • MD5

      deac43fe9aefbcd9c0cc9366f8e7bb3d

    • SHA1

      a3bfeef6b874d17f200d2a252e7c5105085998ac

    • SHA256

      c5cc26741a66e28959229d6bfe5631990e7404561731ac4def76f0fb70a43475

    • SHA512

      27d83316b1a66edf17ef7f885e2c04af52584cddf0e01e13b7c71c3448d814566f3549ea983be676057f731dd021109e287b04352b5c5734e5496a41d2c84e42

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks