General

  • Target

    Novi poredak.zip

  • Size

    364KB

  • Sample

    221002-lw7cpaaah8

  • MD5

    843723c472a261688f22f1fd2402fe43

  • SHA1

    7f62e8bf917b4e91b7b08b4d773f06ce42fe83a3

  • SHA256

    b63521159d8e3b6748f45763d1bcabd6a030d07b9f6f0ae5147ea2451bd87fff

  • SHA512

    e13a0bd1c0bb36ccdbcb36c589cb3e1095bdaad29db7fa411c625a8a71222b7ac197c7202ab597ca63405803963e8f21dd492adff867235274c14c8a27ebae5a

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

euv4

Decoy

anniebapartments.com

hagenbicycles.com

herbalist101.com

southerncorrosion.net

kuechenpruefer.com

tajniezdrzi.quest

segurofunerarioar.com

boardsandbeamsdecor.com

alifdanismanlik.com

pkem.top

mddc.clinic

handejqr.com

crux-at.com

awp.email

hugsforbubbs.com

cielotherepy.com

turkcuyuz.com

teamidc.com

lankasirinspa.com

68135.online

Targets

    • Target

      Novi poredak.exe

    • Size

      742KB

    • MD5

      c71ad16cf41fe33191e7aed3ff094cb5

    • SHA1

      2530410a028d56fe76cd4883ad6143c65110dfa3

    • SHA256

      c65eb86aa24a5f4ded6ad0fadfb7bb2eb6e6543a4a146f1dd05ae88bb7354375

    • SHA512

      c25844433fe78448977f689fd4afd070316c9e1c3544dd24a444d3efb193e183a063b834f3c045f27fe919c24b1d919dc6fc19229a1a2fa49a89949308f568ec

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • ModiLoader Second Stage

    • Xloader payload

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Discovery

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Privilege Escalation