General

  • Target

    63432f8db655602a09f399a33736bb8b

  • Size

    368KB

  • Sample

    220616-lg9t9scgcr

  • MD5

    63432f8db655602a09f399a33736bb8b

  • SHA1

    ff89e79ca601a15eb1eb1db09574cc86473009ed

  • SHA256

    5499722e1f4ec7741ea1dcf1eca662770ce18522e37bab9688b93b43e7c542c1

  • SHA512

    bc07d34816a2939e345747c582b31626cc2094d33912e95b9f59579cef492c4f8ee05d6ea7553c797681aed9763f0911f687b3a5c9dfd7e90ba945b2820e3cf9

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

k0dn

Decoy

T7P6iI21J+kfXKlzSbMmKg==

8ydBXovaF9iFIHY/2ny03yGRZ3Kz

jGv2GQ1OhAyHLK1I2NA=

lfc/U27HEsfvL35ZSbMmKg==

IQYzRVqb9KlUkJQ=

4+372KGkJxXgWw==

aIsVb70Hz5GNaH5n

590Orgru5qEKMCa8hY/h

5UXPfcdhZuKNaH5n

WckGHJB+EdzDTps=

b9dtfhiEzC8=

pwtN2vo54alUkJQ=

8GiuxgFloDy6A5lxDQ==

oA5T3vk478TtNUISrFrOTNUQoQ==

g5KNqj7ZVC7pnOezYkm+9z+tw4Ob2Stq

bFKZMSlG2JG6XJY8KtX2

mYfUAxdpZzO0VQ==

8F2fstAL/wKmTA==

tJ/ZdOFw2KPm/QHhnEzsEGecd7jQIQ==

Q7HwfoOL8alZho0=

Targets

    • Target

      DHL Receipt.exe

    • Size

      388KB

    • MD5

      fa794359331a2f4e8dfc9f1ef708c81a

    • SHA1

      89ebc66d6914963eed7c38d054c7bcdacff4a6c3

    • SHA256

      575270987483aa95a9dcdbe5b0949f1c28d21a89fed663139efc9beb8c6f75f4

    • SHA512

      59c5e820d212f6ca51fbbe8fff8ce4a23753ac1f0b7511f70b8310e6570740d6603ad2e866f28f81d8e6fedc9a633e3c2f9ae834d968d66f847a40f4fa401ba4

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Adds policy Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks