General

  • Target

    a7c3eb18e5e475d5f04f45917b6d4d1b

  • Size

    2.3MB

  • Sample

    231222-qwv2waadck

  • MD5

    a7c3eb18e5e475d5f04f45917b6d4d1b

  • SHA1

    efa6f5509edb789fdc738c43faa44840963e9008

  • SHA256

    48cdd3518d024b5cdba568ddd5f01c44eed50267c43cc127043d158fd55fefd6

  • SHA512

    fb5f0a385746226f5729ddf70c540eef85e2f64730a96c44ba5e7d2de4fcbe168818fd4324346a6f5c398a1519f7951e6c04ba2e461b7c3159f9f0b2e1707c1f

  • SSDEEP

    49152:vbOnM0AAjLZlCCRlfVM9QPdxwfE7WlFwKAfzuTiDFUFk:vbOnM8SU9V1PdVQFwKZCFg

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

b0ar

Decoy

fbadformula.com

appdios.com

guyhoquet-immobilier-drancy.com

pokerwiro.com

maxwellhospitaljaipur.com

88n9.com

bennypc.com

corcoranconsult.com

cuidatusaludcuidatucasa.com

motlakfitnes.com

laurahurricanerelief.com

nostacktofullstack.com

privsec-mail.com

andalusaihealth.com

doosanmodelhouse.com

quickbookaccountingpro.com

falconrysouk.com

vnielvmdqxk538.xyz

asshop.space

mhscdnv1.club

Targets

    • Target

      a7c3eb18e5e475d5f04f45917b6d4d1b

    • Size

      2.3MB

    • MD5

      a7c3eb18e5e475d5f04f45917b6d4d1b

    • SHA1

      efa6f5509edb789fdc738c43faa44840963e9008

    • SHA256

      48cdd3518d024b5cdba568ddd5f01c44eed50267c43cc127043d158fd55fefd6

    • SHA512

      fb5f0a385746226f5729ddf70c540eef85e2f64730a96c44ba5e7d2de4fcbe168818fd4324346a6f5c398a1519f7951e6c04ba2e461b7c3159f9f0b2e1707c1f

    • SSDEEP

      49152:vbOnM0AAjLZlCCRlfVM9QPdxwfE7WlFwKAfzuTiDFUFk:vbOnM8SU9V1PdVQFwKZCFg

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks