General

  • Target

    c5c4e5799564f3b661689ad1469c1d2b

  • Size

    139KB

  • Sample

    220621-rrdsgagch8

  • MD5

    c5c4e5799564f3b661689ad1469c1d2b

  • SHA1

    c515a5050b6dd22d15cb7bf707d831b3b39687f6

  • SHA256

    63652138daf8365f6dab21d26a3d7f6286544087760a8f60a66fd98fee63d362

  • SHA512

    66e0524178ee8cc608fe9b17c153b0d2f108ce4276e1d2f5d21a96cdd1dc2056a477da13ac1e4b9ede4e4572190972a555138ef1e81bf6c60d338c8b2d9fda17

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

oecd

Decoy

mrcrickethighlights.com

milozzo.com

biggorillacreative.com

pecwi67.store

stoneeast.com

redicredi.com

warrentonvalodging.com

lexbbc.com

acmet-shirtco.com

grocits.com

vlconstruction.info

jxstore1.com

lifeenrollmarketplace.com

wgr5n.xyz

710wgm.com

ccrdidkqpoxzrrpfpmcb.com

boswellbrothersofnc.net

girajewelry.com

primesukkah.com

daotengge.com

Targets

    • Target

      certifikat dobavnice 5538.xlsx

    • Size

      71KB

    • MD5

      e8e6db5a344b2a76274672464cd74633

    • SHA1

      b3cc85b851ef064f85ec1b650e6a58ed38b395b4

    • SHA256

      cd71adf7e4f77092fc252b2f26e77e95617fd71de9077182f07b54c2ddaef39b

    • SHA512

      c3769bbcf1da3dbf69af45b426b7509ae734ea41421c486aa6dbb0263c7d861850a4e02c95bd8346ba6b82166e33c1b59f4713046216b376dfe8f101a0226154

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks