New purchase Order.exe

General
Target

New purchase Order.exe

Size

477KB

Sample

220521-b3abeschd8

Score
10 /10
MD5

dd481272bd8f9e8ca40868e4a90db854

SHA1

8871b4d7173d89b539aa1b3e91139cb4c0ce744e

SHA256

8edf8a8b1972c8dd05a960b7a79a7a87c8977b69b700ab9db28bab9207b8b267

SHA512

168ed59d8f6edd7b37b44441480e59fdef67beb35487974aec59aa36852407c75d5537532f6cd0104327516fd2e0359fadb6fe56a8def782864413df341761a8

Malware Config

Extracted

Family xloader
Version 2.6
Campaign a8hq
Decoy

veteransductcleaning.com

beajtjunkies.com

houseofascofi.com

scottsdalemediator.com

atelyadesign.com

profitcase.pro

imtokenio.club

qinglingpai.com

bigsmile-meal.net

daytonlivestream.com

aspiradores10.online

ytybs120.com

hdatelier.com

bearpierce.com

yeson28ca.com

booklearner.com

m8j9.club

mmophamthinhlegend.space

hq4a7o6zb.com

sophiadaki.online

sunraiz.site

calorieup.com

vighneshequipments.com

695522z.xyz

xjfhkjy.com

jcpractice.xyz

micahriffle.com

babiezarena.com

heythatstony.com

bmtjt.com

aete.info

yeyeps.com

chafaouihicham.com

globalider.com

uwksu.com

jimmy.technology

theveatchplantation.com

devondarcy.com

suburbpaw.online

ballsfashion.com

devsecops-maturity-analysis.net

naturealizarte.com

jpvuy.icu

algoworksconsulting.com

51jzsy.com

the-arboretum.net

sportsmachine.xyz

kemanewright.com

transporteslatinoberlin.com

multirollup.xyz
Targets
Target

New purchase Order.exe

MD5

dd481272bd8f9e8ca40868e4a90db854

Filesize

477KB

Score
10/10
SHA1

8871b4d7173d89b539aa1b3e91139cb4c0ce744e

SHA256

8edf8a8b1972c8dd05a960b7a79a7a87c8977b69b700ab9db28bab9207b8b267

SHA512

168ed59d8f6edd7b37b44441480e59fdef67beb35487974aec59aa36852407c75d5537532f6cd0104327516fd2e0359fadb6fe56a8def782864413df341761a8

Tags

Signatures

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Xloader Payload

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

  • Suspicious use of SetThreadContext

Related Tasks

behavioral1behavioral2
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
    Defense Evasion
    Discovery
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Persistence
              Privilege Escalation
                Tasks

                static1

                behavioral1

                3/10

                behavioral2

                10/10