General

  • Target

    f7d5f8b4ddd56036981b828611a75f83

  • Size

    1.1MB

  • Sample

    231222-varvjsacbr

  • MD5

    f7d5f8b4ddd56036981b828611a75f83

  • SHA1

    5c1f47b8637aa157c2ad15d9f713b119359fd217

  • SHA256

    4cfbe6aa94bf76cb52f9a3b89c687f48908cfdd0fe0bd791c70e5b9790b71c8b

  • SHA512

    0898b974e32e9ad55f8fb2659c5187f28addeb659cb90912a9488825ab8d3444e25c932eace6662a5ea470bdfd1fc02848478fc435bf3bdd47d69985ae8589af

  • SSDEEP

    24576:ncYOnMZe/oeLjLZ4A6DRxsc9KWrhgZdGR4:nbOnM0AAjLZlCCRlf

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

b0ar

Decoy

fbadformula.com

appdios.com

guyhoquet-immobilier-drancy.com

pokerwiro.com

maxwellhospitaljaipur.com

88n9.com

bennypc.com

corcoranconsult.com

cuidatusaludcuidatucasa.com

motlakfitnes.com

laurahurricanerelief.com

nostacktofullstack.com

privsec-mail.com

andalusaihealth.com

doosanmodelhouse.com

quickbookaccountingpro.com

falconrysouk.com

vnielvmdqxk538.xyz

asshop.space

mhscdnv1.club

Targets

    • Target

      f7d5f8b4ddd56036981b828611a75f83

    • Size

      1.1MB

    • MD5

      f7d5f8b4ddd56036981b828611a75f83

    • SHA1

      5c1f47b8637aa157c2ad15d9f713b119359fd217

    • SHA256

      4cfbe6aa94bf76cb52f9a3b89c687f48908cfdd0fe0bd791c70e5b9790b71c8b

    • SHA512

      0898b974e32e9ad55f8fb2659c5187f28addeb659cb90912a9488825ab8d3444e25c932eace6662a5ea470bdfd1fc02848478fc435bf3bdd47d69985ae8589af

    • SSDEEP

      24576:ncYOnMZe/oeLjLZ4A6DRxsc9KWrhgZdGR4:nbOnM0AAjLZlCCRlf

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks