General

  • Target

    Potvrda narudzbe. RS0324452672.exe

  • Size

    943KB

  • Sample

    220803-jpt3nsgff3

  • MD5

    0ecdae9fca6925995ec4a3db95462410

  • SHA1

    821b698a5ff5285cab17f8a139307cd30ad183a1

  • SHA256

    9a6b3814d1571fd30961206eb15d3affec6486b2ce1aa144d6f3a7854cecad60

  • SHA512

    cf26e3de21e6a495bb6bad1862739b3cfc48b080d7fffa5932d2274ff995d19fc6e649221a0f02986f40c5828cc48d1b73509c3600eca423b16230f9a4a4ff07

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

euv4

Decoy

anniebapartments.com

hagenbicycles.com

herbalist101.com

southerncorrosion.net

kuechenpruefer.com

tajniezdrzi.quest

segurofunerarioar.com

boardsandbeamsdecor.com

alifdanismanlik.com

pkem.top

mddc.clinic

handejqr.com

crux-at.com

awp.email

hugsforbubbs.com

cielotherepy.com

turkcuyuz.com

teamidc.com

lankasirinspa.com

68135.online

Targets

    • Target

      Potvrda narudzbe. RS0324452672.exe

    • Size

      943KB

    • MD5

      0ecdae9fca6925995ec4a3db95462410

    • SHA1

      821b698a5ff5285cab17f8a139307cd30ad183a1

    • SHA256

      9a6b3814d1571fd30961206eb15d3affec6486b2ce1aa144d6f3a7854cecad60

    • SHA512

      cf26e3de21e6a495bb6bad1862739b3cfc48b080d7fffa5932d2274ff995d19fc6e649221a0f02986f40c5828cc48d1b73509c3600eca423b16230f9a4a4ff07

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • ModiLoader Second Stage

    • Xloader payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Tasks