General

  • Target

    SecuriteInfo.com.Trojan.GenericFCA.Agent.65764.24444.1923.exe

  • Size

    734KB

  • Sample

    230109-r1ageaee85

  • MD5

    e6ae773a4817b46739418358b30325c0

  • SHA1

    e8360791e345c75a15c7e7feaa4884441d4a9db2

  • SHA256

    8bcf46ad691c82dc43513e12486bd798277cc7a4bd14de0b7c829e4e3ad2f730

  • SHA512

    35c8478c458635adf19886266eb06c3d843dfc20f942b55555861cff00594a7a1a0acb2dd8efa1f93fcfa0808eba8f8d99e02352592107d20c8ad05e2ebc01b2

  • SSDEEP

    12288:n437Oofhfv77Kz6Vk1z3TDeo9aqIwF4x8vazsAyNBt:nqLhvKJXeo9fH0tzOt

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

euv4

Decoy

anniebapartments.com

hagenbicycles.com

herbalist101.com

southerncorrosion.net

kuechenpruefer.com

tajniezdrzi.quest

segurofunerarioar.com

boardsandbeamsdecor.com

alifdanismanlik.com

pkem.top

mddc.clinic

handejqr.com

crux-at.com

awp.email

hugsforbubbs.com

cielotherepy.com

turkcuyuz.com

teamidc.com

lankasirinspa.com

68135.online

Targets

    • Target

      SecuriteInfo.com.Trojan.GenericFCA.Agent.65764.24444.1923.exe

    • Size

      734KB

    • MD5

      e6ae773a4817b46739418358b30325c0

    • SHA1

      e8360791e345c75a15c7e7feaa4884441d4a9db2

    • SHA256

      8bcf46ad691c82dc43513e12486bd798277cc7a4bd14de0b7c829e4e3ad2f730

    • SHA512

      35c8478c458635adf19886266eb06c3d843dfc20f942b55555861cff00594a7a1a0acb2dd8efa1f93fcfa0808eba8f8d99e02352592107d20c8ad05e2ebc01b2

    • SSDEEP

      12288:n437Oofhfv77Kz6Vk1z3TDeo9aqIwF4x8vazsAyNBt:nqLhvKJXeo9fH0tzOt

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • ModiLoader Second Stage

    • Xloader payload

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks