General

  • Target

    11128ecb20c21ca6dd1bc29409c2a33de2aa5f6db4483bd1062085821d3b4186

  • Size

    485KB

  • Sample

    220130-h4q4wsggem

  • MD5

    c58d5e2b828ecaed0e6688d65e6961e9

  • SHA1

    8018e506a3e3a7ca5dacbf8b70e2cf5d8b897013

  • SHA256

    11128ecb20c21ca6dd1bc29409c2a33de2aa5f6db4483bd1062085821d3b4186

  • SHA512

    ec56fa47bb8381cc39b54df8226661e0906463ea9c4ec2b8ddcffc674ae97b2d3b716d6595faae119ac79eec275edb6f82fb3fb9fce0a73357305a837af977b1

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

46uq

Decoy

beardeddentguy.com

envirobombs.com

mintbox.pro

xiangpusun.com

pyjama-france.com

mendocinocountylive.com

innovativepropsolutions.com

hpsaddlerock.com

qrmaindonesia.com

liphelp.com

archaeaenergy.info

18446744073709551615.com

littlecreekacresri.com

elderlycareacademy.com

drshivanieyecare.com

ashibumi.com

stevenalexandergolf.com

adoratv.net

visitnewrichmond.com

fxbvanpool.com

Targets

    • Target

      TT_SWIFT_Export Order_noref S10SMG00318021.exe

    • Size

      653KB

    • MD5

      fff91c58119d3cd7f68457e8565f7116

    • SHA1

      4201eb7214bd3658889739e4856412b8063e0405

    • SHA256

      f8c0d385ece89cd926b2c74680c036f9927414955e7ff4ed12b576470b8c1745

    • SHA512

      c05cf9e0ed2aad4c08b394d97fc1257d273aa8dd51a45487ba51ff5973ab7b2227aba7ea1e1e8e9daf7416aaea418b06edfa29ff93665f6d3cc5b1a392dbed92

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

System Information Discovery

1
T1082

Tasks