General

  • Target

    PAGO 07132021.7z

  • Size

    338KB

  • Sample

    211028-v9m1msggdm

  • MD5

    8ec98179169d06df68f49bc136b2aa52

  • SHA1

    bfc83a5bb32f6e97e39c9ad7b6f9d95e6f17ed93

  • SHA256

    77dcfbdfe92e2b51202b65a3a8edd533a2ec35a4a4553c9cb487354c086b0bb4

  • SHA512

    94e065d65df1f1215a8558ffa002cc098c7297b310f8b0459386f8715a66e92f3f2b9082bde601bb1a02e990c844699501ab17817e6d7187c50c0bc6f2084b0e

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

r3n5

C2

http://www.keeyasmarketplace.com/r3n5/

Decoy

peterjhill.com

bleednavy.com

a6d83.top

koudoula.store

albawardl.com

j-sdigitalekuns.net

0wzr2dglc.com

xd16880.com

safepostcourier.com

seuic.net

hainansousou.com

meuexamor.com

strategicthinking.coach

tabliqatbama.com

kidzplan.com

non-toxicnailpolish.com

bwgds.com

behindhereyesphotography.com

age-oldpklduy.xyz

lesconfidentialistes.paris

Targets

    • Target

      PAGO 07132021.exe

    • Size

      501KB

    • MD5

      8b1970c679a37504e6b2825d8189b441

    • SHA1

      5aef94a80a56f141a7587c1136fa529b7b3eeebc

    • SHA256

      77dffb6d88fb330bdd578583657a9741897f2c94fea5881985a72ba16071cb21

    • SHA512

      8c6974dd03c7c83542e3eacabea0a35101d19c853a2af06bb2a7be4176bbf945e26b9f2528859febb3d5521a220c74eb1287545803ff4df2cc94065d83576fd5

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks