General

  • Target

    DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe

  • Size

    17KB

  • Sample

    220221-ef9pjsfafm

  • MD5

    23c8ac1dece030f7b6a967116135a2bd

  • SHA1

    fcd3afc6427bf06794a34ba8fa8101a210d83453

  • SHA256

    0abb22830a161d2009ae8067a6807250990022c039c3006dc13b3ca4af789f67

  • SHA512

    0027b3b16d9b0f9fce4416264f1999d1b5ba97b27a7a807858745f81cde0b581a2e2d8a5449067b435b06f1f2a64cb512196d34aac15ea617ec8da8c894bbbf2

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

po6r

Decoy

jnhuichuangxin.com

mubashir.art

extol.design

doyyindh.xyz

milanoautoexperts.com

4thefringe.com

453511.com

sellathonautocredit.com

velgian.com

6672pk.com

wodeluzhou.com

sumiyoshiku-hizaita.xyz

imoveldeprimeira.com

dgjssp.com

endokc.com

side-clicks.com

cashndashfinancial.com

vanhemelryck.info

agamitrading.com

woofgang.xyz

Targets

    • Target

      DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe

    • Size

      17KB

    • MD5

      23c8ac1dece030f7b6a967116135a2bd

    • SHA1

      fcd3afc6427bf06794a34ba8fa8101a210d83453

    • SHA256

      0abb22830a161d2009ae8067a6807250990022c039c3006dc13b3ca4af789f67

    • SHA512

      0027b3b16d9b0f9fce4416264f1999d1b5ba97b27a7a807858745f81cde0b581a2e2d8a5449067b435b06f1f2a64cb512196d34aac15ea617ec8da8c894bbbf2

    • Modifies WinLogon for persistence

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Tasks