General

  • Target

    PAYMENT COPY.zip

  • Size

    487KB

  • Sample

    220621-g3rhlaeca2

  • MD5

    1fff88b07a5cded5c4cf7bbdc6e99e51

  • SHA1

    8d32fe3e3eaf255de22fc6cb264e3171d96d7e6a

  • SHA256

    12dad12ea40f9ea651fb7f6fd53bd397f824111f1f57cd88f567fce0c71a2c6b

  • SHA512

    daf2dd0d9301a7d21fa8f9a1f395deb37062dcce0c299404709521a90ba1035f5eb2c177f27a666be217fd8bd27c20b0cb419d4fc538faadd2d0954ae2b46d64

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

be3s

Decoy

aoxaswa.info

souplab-graphic.com

churchontheisland.com

spclassic-cars.com

stanford-edu.club

heydowm.online

chattanooga-electricians.com

sectsk.com

cxg98.com

buildafricaonline.net

buydogcoin.com

vsst247.com

lodgelastrancas.com

ainonaho.com

griousndwarehsftyfs.xyz

voltagestabilizersupply.com

xn--79q565dzfex9hg81b.com

isrvr-ccrforum.info

chitiandi.com

criticaldisco.com

Targets

    • Target

      PAYMENT COPY.exe

    • Size

      622KB

    • MD5

      7d134d7411132c648a3e8c96b6512ddb

    • SHA1

      ac36a8371466aa2cc72dd8de3d82c8ee79223358

    • SHA256

      6754c12fc6c245becc9c5104eb4c130ee31217a4a8cdee324f468c2c26b4e051

    • SHA512

      e27e1ad2543efead629e66a580be1cf4a8712c695d2d778c55cc93c6b3c870dd680040f318f1309f0d685352da5bfae8797fa02aa1f4cf8a1a07aeb7e4cc0550

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Xloader Payload

    • Adds policy Run key to start application

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks