General

  • Target

    ceea6ba30eb014e21b32da74664fc7af

  • Size

    1.1MB

  • Sample

    231222-r9353sgef6

  • MD5

    ceea6ba30eb014e21b32da74664fc7af

  • SHA1

    7544a0be934cd998620080e4b2a662a14a1b842d

  • SHA256

    ca56c60a7bae1f795cc5cdf415fea21d12a70a0ca48be1737f85c7ed9c76d41d

  • SHA512

    1a6300222f83d0dec0d8835c22e4ddc1e562b179ef7dc5aba288c456c255e4a1d8bd3198167f2f60e9f08a53541275094073a70cc4d3aa9a3bea0f25d7526c16

  • SSDEEP

    24576:ncYOnMZe/oeLjLZ4A6DRxsc9KWrhgZdGR4:nbOnM0AAjLZlCCRlf

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

b0ar

Decoy

fbadformula.com

appdios.com

guyhoquet-immobilier-drancy.com

pokerwiro.com

maxwellhospitaljaipur.com

88n9.com

bennypc.com

corcoranconsult.com

cuidatusaludcuidatucasa.com

motlakfitnes.com

laurahurricanerelief.com

nostacktofullstack.com

privsec-mail.com

andalusaihealth.com

doosanmodelhouse.com

quickbookaccountingpro.com

falconrysouk.com

vnielvmdqxk538.xyz

asshop.space

mhscdnv1.club

Targets

    • Target

      ceea6ba30eb014e21b32da74664fc7af

    • Size

      1.1MB

    • MD5

      ceea6ba30eb014e21b32da74664fc7af

    • SHA1

      7544a0be934cd998620080e4b2a662a14a1b842d

    • SHA256

      ca56c60a7bae1f795cc5cdf415fea21d12a70a0ca48be1737f85c7ed9c76d41d

    • SHA512

      1a6300222f83d0dec0d8835c22e4ddc1e562b179ef7dc5aba288c456c255e4a1d8bd3198167f2f60e9f08a53541275094073a70cc4d3aa9a3bea0f25d7526c16

    • SSDEEP

      24576:ncYOnMZe/oeLjLZ4A6DRxsc9KWrhgZdGR4:nbOnM0AAjLZlCCRlf

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks