R00127789.exe

General
Target

R00127789.exe

Size

754KB

Sample

220521-ahq8rsdbeq

Score
10 /10
MD5

5ade5905aebb3d0f6cafd3d36c01927b

SHA1

8b5f6901647c9f17114e3092fc2b226c7478121d

SHA256

d10a6b48293d226a0700a84f7dc756fe50c78a9d167500e3b3c763781c52b006

SHA512

c2e324286d7a819f9dc228b51258e888db980fbdd5a05171bd25ba6c742b3ff71d285db095ab7d577f620f8a3e5baba0c863154d4f63df6e5b1e0241362421a4

Malware Config

Extracted

Family xloader
Version 2.5
Campaign mjup
Decoy

cyqcc.com

mynext.guru

clickbuzz.tech

testingsitewp.store

starblast.space

xn--cocola-6wa.com

kathicrafts.com

tiktokshop.cloud

akasa42.com

therosedalefw.com

fabuluxepicnicsatl.com

dtoyer.com

trungtambtx.com

uploaded.space

newgradient.com

micron365.com

driving-ukrainka.com

feretsfreshcutsproduce.com

1781tudor301.info

mecca-services.com

privacyqlxyvu.online

tomopro.net

b8ceex.com

strategybllc.com

ivikno.com

lqydzc.com

toutbesoin.com

reunionwaveclassic.com

5ifbc.com

nailwrapsturkiye.com

greengriffinmerc.com

candeliver.online

sandifordprivatetutelage.com

ma7lat.online

zongzizaixian.com

groupsexlivecams.com

cookinggem.com

hojohotsprings.com

lefevrerealtor.com

nro-onc.biz

gloford.com

goldsmash.net

halachmi.online

kosherlending.com

asdspietro.com

trustwaves.net

ciscoworkplace.com

fluiwesn291-ocn.xyz

yangscatering.com

anushreehomemadeproducts.online

Targets
Target

R00127789.exe

MD5

5ade5905aebb3d0f6cafd3d36c01927b

Filesize

754KB

Score
10/10
SHA1

8b5f6901647c9f17114e3092fc2b226c7478121d

SHA256

d10a6b48293d226a0700a84f7dc756fe50c78a9d167500e3b3c763781c52b006

SHA512

c2e324286d7a819f9dc228b51258e888db980fbdd5a05171bd25ba6c742b3ff71d285db095ab7d577f620f8a3e5baba0c863154d4f63df6e5b1e0241362421a4

Tags

Signatures

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Xloader Payload

    Tags

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      behavioral1

                      10/10

                      behavioral2

                      10/10