General

  • Target

    HSBC TT Copy 101121.rar

  • Size

    244KB

  • Sample

    211116-ybyw2acbfr

  • MD5

    85d1b77e49b292efda384c4ca43836b9

  • SHA1

    e4f9998c48220fea06cb1f372c68c2b3c56666b5

  • SHA256

    ded8c07fb7142ba39946dd3aaac2ec104a19cd919f4e7a7eda7781db6e3816ee

  • SHA512

    9c66e2c19aeb8bd95732c87dd0fc73280cf9182a1810fe1b1e9c7504df5a86a3b04aaaa26b952d089c4ef78bcf190885e7179c854e978cff6f6d0a34d66c890e

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

e8ia

C2

http://www.helpfromjames.com/e8ia/

Decoy

le-hameau-enchanteur.com

quantumsystem-au.club

engravedeeply.com

yesrecompensas.lat

cavallitowerofficials.com

800seaspray.com

skifun-jetski.com

thouartafoot.com

nft2dollar.com

petrestore.online

cjcutthecord2.com

tippimccullough.com

gadget198.xyz

djmiriam.com

bitbasepay.com

cukierniawz.com

mcclureic.xyz

inthekitchenshakinandbakin.com

busy-clicks.com

melaniemorris.online

Targets

    • Target

      REVISE 50% OCTA INVOICE.exe

    • Size

      257KB

    • MD5

      093048c24b9994fef2130cd8457e7a4b

    • SHA1

      f3c31eefe661b1febc80c0865af8f4fd1385ac7f

    • SHA256

      0e803b7715385244cae58772b5b0da43b7cca6a97c5ffd182081eca8676ff5d7

    • SHA512

      e95142b25ae3078c642df183213ed06ccb0b5b65c4b25c3844803258d8b149c3570fdd00a25b539199f44ad10877c37139e430febe304ad6860511c379d4a2ba

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Discovery

System Information Discovery

2
T1082

Tasks