New purchase Order.exe

General
Target

New purchase Order.exe

Size

477KB

Sample

220521-b4gf5achh7

Score
10 /10
MD5

dd481272bd8f9e8ca40868e4a90db854

SHA1

8871b4d7173d89b539aa1b3e91139cb4c0ce744e

SHA256

8edf8a8b1972c8dd05a960b7a79a7a87c8977b69b700ab9db28bab9207b8b267

SHA512

168ed59d8f6edd7b37b44441480e59fdef67beb35487974aec59aa36852407c75d5537532f6cd0104327516fd2e0359fadb6fe56a8def782864413df341761a8

Malware Config

Extracted

Family xloader
Version 2.6
Campaign a8hq
Decoy

veteransductcleaning.com

beajtjunkies.com

houseofascofi.com

scottsdalemediator.com

atelyadesign.com

profitcase.pro

imtokenio.club

qinglingpai.com

bigsmile-meal.net

daytonlivestream.com

aspiradores10.online

ytybs120.com

hdatelier.com

bearpierce.com

yeson28ca.com

booklearner.com

m8j9.club

mmophamthinhlegend.space

hq4a7o6zb.com

sophiadaki.online

sunraiz.site

calorieup.com

vighneshequipments.com

695522z.xyz

xjfhkjy.com

jcpractice.xyz

micahriffle.com

babiezarena.com

heythatstony.com

bmtjt.com

aete.info

yeyeps.com

chafaouihicham.com

globalider.com

uwksu.com

jimmy.technology

theveatchplantation.com

devondarcy.com

suburbpaw.online

ballsfashion.com

devsecops-maturity-analysis.net

naturealizarte.com

jpvuy.icu

algoworksconsulting.com

51jzsy.com

the-arboretum.net

sportsmachine.xyz

kemanewright.com

transporteslatinoberlin.com

multirollup.xyz

Targets
Target

New purchase Order.exe

MD5

dd481272bd8f9e8ca40868e4a90db854

Filesize

477KB

Score
10/10
SHA1

8871b4d7173d89b539aa1b3e91139cb4c0ce744e

SHA256

8edf8a8b1972c8dd05a960b7a79a7a87c8977b69b700ab9db28bab9207b8b267

SHA512

168ed59d8f6edd7b37b44441480e59fdef67beb35487974aec59aa36852407c75d5537532f6cd0104327516fd2e0359fadb6fe56a8def782864413df341761a8

Tags

Signatures

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Xloader Payload

    Tags

  • Blocklisted process makes network request

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      behavioral1

                      10/10

                      behavioral2

                      10/10