General

  • Target

    4e196e5855b82c2bc53aa2fb91ac8197

  • Size

    144KB

  • Sample

    220621-rmfq9sgca2

  • MD5

    4e196e5855b82c2bc53aa2fb91ac8197

  • SHA1

    4531bc4c1ab8912e38541e95eb01bef81fd22c4e

  • SHA256

    f85cb020ba29a65b43aee5d2a4aba0a53986136132a4615df9399e07373a238a

  • SHA512

    262e1b88c4ac72bde2545eb886c46389d74a3e32d84432897e646e475b630681e0bf22b84bc520b888c480738bdfe44c3a2f0d260b24a82af6d81c233c480107

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

ne5f

Decoy

presentationmeetup.biz

mlune.com

smplsnoot.com

gatorlendingnearme.com

matsu-den.net

dac-nj.com

currentsea.rentals

peter-elst.com

hyo7jzsunsh6ad8rjwsa.com

5gsmartsales.xyz

medinfoedu.com

tenderstembroccoli.com

solicitglobal.com

lojashauren.com

constructionboots.online

hecsearc.com

tandemcoruna.com

ordinateam.com

heikyoum.xyz

segawa-kensetu.com

Targets

    • Target

      Order.exe

    • Size

      241KB

    • MD5

      bf5426f3ef54fb82433db41d5e8533a5

    • SHA1

      46b504f9d3b02ff66ae640167e5ae3d8737dd44f

    • SHA256

      d9af61c7590a4850ff8a8f021ad2b9f7536757d658b281e883e758065637bdd5

    • SHA512

      64f83ef542358da820ff6d91a1bbe09dae4dbb2580c9e566253ae7236eea12ca6ae1128e75b9b291b70574026dece42e7cc646b8c2035abb63b379ddd784d3f5

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • ModiLoader Second Stage

    • Xloader Payload

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks