General

  • Target

    5d232981a9fef116e719432313b6493302a3a0fa80a2607616a9ef0de164ebe3

  • Size

    980KB

  • Sample

    230129-y4xjnsbh84

  • MD5

    fb5e1ac4bcbaa69a5c5824113dcc6579

  • SHA1

    517257fa761e38fc5a2fcb28b89ed5a64ebceb30

  • SHA256

    5d232981a9fef116e719432313b6493302a3a0fa80a2607616a9ef0de164ebe3

  • SHA512

    715886a53a794ce02911a14acb15b2383b82583675b9e8b65d140ebc64bbdf68d511073f4c40c7b954495d6aac9af4f269e43e5aa17305845402e30fdd8353da

  • SSDEEP

    12288:ec8dySCiSdWunLEQiydW+PWk7iWriyfpbkukWO8Jxde5+Jg0k12HbpGgtVP2lpMR:e1bQyv12Hbk3lpqCwLv/Oh+jWo

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

tub0

Decoy

playgeazie.com

blessedmindset.net

alejofaj.com

electricbiketechnologes.com

jmrrealestatellc.com

alphafathers.com

trinityhousegoa.com

trainingrealestateagents.com

esarpfabrikasi.com

bookgallary.com

centralpark-mca.net

killthemessengermedia.com

ayderthermal.com

adsdito.com

findmy-fmi.info

1030aponiplace.com

nachbau.net

richtig-zuhause-lernen.com

wuovcoizph.net

avrplayground.com

Targets

    • Target

      5d232981a9fef116e719432313b6493302a3a0fa80a2607616a9ef0de164ebe3

    • Size

      980KB

    • MD5

      fb5e1ac4bcbaa69a5c5824113dcc6579

    • SHA1

      517257fa761e38fc5a2fcb28b89ed5a64ebceb30

    • SHA256

      5d232981a9fef116e719432313b6493302a3a0fa80a2607616a9ef0de164ebe3

    • SHA512

      715886a53a794ce02911a14acb15b2383b82583675b9e8b65d140ebc64bbdf68d511073f4c40c7b954495d6aac9af4f269e43e5aa17305845402e30fdd8353da

    • SSDEEP

      12288:ec8dySCiSdWunLEQiydW+PWk7iWriyfpbkukWO8Jxde5+Jg0k12HbpGgtVP2lpMR:e1bQyv12Hbk3lpqCwLv/Oh+jWo

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Looks for VirtualBox Guest Additions in registry

    • Xloader payload

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks