General

  • Target

    jvDX48oGKQdeYMi.exe

  • Size

    383KB

  • Sample

    220127-l1nq5sagdj

  • MD5

    99b9c988d90c490263510e46d63e1eb3

  • SHA1

    8d805807d852e5e7746c995d3c0d7bdd6480ee9b

  • SHA256

    e34c0a8218be6d3783e8cd61b8040b6b39004ad34e68c1cdb2f123b636e6b274

  • SHA512

    ef837611568b5e8c2d6857a085e4bcf2f2f33a556819ade65fe1f4301c5de9c6cf3165d79c90ad9c6a9ddae431c17cb26438c6dc5684d76e4202f17ef2b33327

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

wdc8

Decoy

mygotomaid.com

joyoushealthandwellnessspa.com

wefundprojects.com

magicbasketbourse.net

vitos3.xyz

oligopoly.city

beauty-bihada.asia

visitnewrichmond.com

crgeniusworld.biz

bantasis.com

transsexual.pro

casagraph.com

eastjamrecords.com

howtotrainyourmustache.com

heiappropriate.xyz

bataperu.com

ces341.com

prajahitha.com

manuelagattegger.com

wolfpackmotorcycletours.com

Targets

    • Target

      jvDX48oGKQdeYMi.exe

    • Size

      383KB

    • MD5

      99b9c988d90c490263510e46d63e1eb3

    • SHA1

      8d805807d852e5e7746c995d3c0d7bdd6480ee9b

    • SHA256

      e34c0a8218be6d3783e8cd61b8040b6b39004ad34e68c1cdb2f123b636e6b274

    • SHA512

      ef837611568b5e8c2d6857a085e4bcf2f2f33a556819ade65fe1f4301c5de9c6cf3165d79c90ad9c6a9ddae431c17cb26438c6dc5684d76e4202f17ef2b33327

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Discovery

System Information Discovery

1
T1082

Tasks