General

  • Target

    SC221420.IMG

  • Size

    1.2MB

  • Sample

    220215-vtfavsaegj

  • MD5

    2e39197eefddf6c8d79a4775078872d1

  • SHA1

    5a96005690d656881a03dde2974d8263b15def7e

  • SHA256

    cc8d7caae86931fd55dbe76f6dce9cbbfedc3a9bd329c39a63e62c4b58ec39a4

  • SHA512

    1ef12c97dc6f34ad94e9cbe951617ba1b1198c0a00192c9ec997e1823e19da248e95c1af7323e451454972751260ab837e03fd506f59513521cd59fdfce1866a

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Targets

    • Target

      SC221420.EXE

    • Size

      456KB

    • MD5

      376f50bcc33f115ff257d0c05ac4ba1b

    • SHA1

      6a81172d13f238b8ca60850870070ce8f3b20488

    • SHA256

      0fcfde1ee285a35c722bfdd0b33f08771a26503d4bfc20541726456cf9351af1

    • SHA512

      9bcce9e9dd2f2326f11b8a94867808404af9741e8e0dec59cf073a6eec666acfbb3eaaa26b6bb155060679937ee991048bf4ba3398bc53354c50dd9b61dae81c

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks