General

  • Target

    DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe

  • Size

    17KB

  • Sample

    220220-ve5bfacfhq

  • MD5

    aeaddb6a276a6dff4f24b8588c5e67f8

  • SHA1

    00bb4c75c0227f965bc76bd2bef1a4aca9687d30

  • SHA256

    b04aa6e695c5275ae754bd61c9f45bc3ebdfcc8aed769fae0d744284d072b15e

  • SHA512

    47fefb178984e1eb736e17d78ee2ea1f269e7306f6c0b192b31748af3db33ef91d9d6213cfd96391fdaf71c00d9612a6d10012f4d2dc3f5707ca3de8eeb8fc01

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

po6r

Decoy

jnhuichuangxin.com

mubashir.art

extol.design

doyyindh.xyz

milanoautoexperts.com

4thefringe.com

453511.com

sellathonautocredit.com

velgian.com

6672pk.com

wodeluzhou.com

sumiyoshiku-hizaita.xyz

imoveldeprimeira.com

dgjssp.com

endokc.com

side-clicks.com

cashndashfinancial.com

vanhemelryck.info

agamitrading.com

woofgang.xyz

Targets

    • Target

      DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe

    • Size

      17KB

    • MD5

      aeaddb6a276a6dff4f24b8588c5e67f8

    • SHA1

      00bb4c75c0227f965bc76bd2bef1a4aca9687d30

    • SHA256

      b04aa6e695c5275ae754bd61c9f45bc3ebdfcc8aed769fae0d744284d072b15e

    • SHA512

      47fefb178984e1eb736e17d78ee2ea1f269e7306f6c0b192b31748af3db33ef91d9d6213cfd96391fdaf71c00d9612a6d10012f4d2dc3f5707ca3de8eeb8fc01

    • Modifies WinLogon for persistence

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Defense Evasion

Modify Registry

1
T1112

Tasks