General

  • Target

    New Vendor Reg.jar

  • Size

    386KB

  • Sample

    220616-pzmz1ahfa7

  • MD5

    66519abb5dc73481091d07984fa9255a

  • SHA1

    51995ee518076e92b84b71497e576a31a28b96db

  • SHA256

    4ca97145822fa092ef34388318a1d302687a094ce96394bfaa67ecf92f5856d9

  • SHA512

    cb0a9f6a9ee9a5f973ae7a7f69638184454a79ebbb097ca1795012704a2624685ccf9449196bca40e85e6639c518fee629145cc0b0be931aba9f6a400f6a8e50

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

ne5f

Decoy

presentationmeetup.biz

mlune.com

smplsnoot.com

gatorlendingnearme.com

matsu-den.net

dac-nj.com

currentsea.rentals

peter-elst.com

hyo7jzsunsh6ad8rjwsa.com

5gsmartsales.xyz

medinfoedu.com

tenderstembroccoli.com

solicitglobal.com

lojashauren.com

constructionboots.online

hecsearc.com

tandemcoruna.com

ordinateam.com

heikyoum.xyz

segawa-kensetu.com

Targets

    • Target

      New Vendor Reg.exe

    • Size

      848KB

    • MD5

      bbbf08949b4ca357104450ab5683729f

    • SHA1

      25513c4e48d250b9f6687629cc4d41201bdbecda

    • SHA256

      d9be4c80cc0be31124f4c9f835624a76317f4c0028cbf2188f311df2d325c324

    • SHA512

      9860e6cbe1aea1fe860dd58bd916071ec76488d0a8877f0bbce7b05e683f02838c1e8c85b1293cad2ba205c8647ceafee41dd2a011e86df79be7b5e525e423b3

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • ModiLoader Second Stage

    • Xloader Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks