General

  • Target

    DOCUMENTS.exe

  • Size

    862KB

  • Sample

    220616-j944dadce3

  • MD5

    53ae53a71c080b54af95ff0b759d0326

  • SHA1

    ade19e6305e3342033a550a6e2b7d84f426b7be8

  • SHA256

    57ac59a69f7b5366e58b18100717297d5ae1570252bf5f3bf3158d2de57e8002

  • SHA512

    20ada04bd7e86e7baf4ea3b89bf9ad88e95215e2dc1443cd15ba2754de79d17fe7999fc45ad003ea396423509f0c291a754df4a1e28ba4736a9c7ae76459baaa

Malware Config

Extracted

Family

xloader

Version

2.7

Campaign

sdzp

Decoy

hurntogtons.com

dd2buftl6ph7uy.life

boredasmr.com

blk-haulage.com

rlxscpe.com

hubinvoice.com

okanaganiced.com

jinghangxc.com

sipcargologistics.com

loversclubapparel.net

shumeldavisual.com

ds922.com

yousef.toys

notremuse.com

rentrentrent.online

ghettogunclub.com

nlsc.chat

greattaxhelper.com

wqedead.space

augustamobilenotary.net

Targets

    • Target

      DOCUMENTS.exe

    • Size

      862KB

    • MD5

      53ae53a71c080b54af95ff0b759d0326

    • SHA1

      ade19e6305e3342033a550a6e2b7d84f426b7be8

    • SHA256

      57ac59a69f7b5366e58b18100717297d5ae1570252bf5f3bf3158d2de57e8002

    • SHA512

      20ada04bd7e86e7baf4ea3b89bf9ad88e95215e2dc1443cd15ba2754de79d17fe7999fc45ad003ea396423509f0c291a754df4a1e28ba4736a9c7ae76459baaa

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Looks for VirtualBox Guest Additions in registry

    • Xloader Payload

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks