General

  • Target

    89c4a6e31301426a02becec20396c705_JaffaCakes118

  • Size

    366KB

  • Sample

    240811-ky1ggsshpl

  • MD5

    89c4a6e31301426a02becec20396c705

  • SHA1

    05c4fea9da4124f3e2fa721ce9c3543a59723a7a

  • SHA256

    7dd8ab4b5aad43b6571ac2b5f543dbf23aef7847ae4eb395340808ea11a5f9b0

  • SHA512

    75093cdd8fbb5f84b32e1a4d98d6e56890dacfe4f39d9a13c25be84fc9f0684638cf2340e17d1f5f99a7bdbff13d3c9a338c1827886d340978a629e54d37722c

  • SSDEEP

    6144:+ys4x2J/ib3gpk7PLVYd9AcAVjHjI/V31IIGSBRlvbfe7vP+kcyB9hHy8oAoUwVO:TXx2J/vpILVYrAcFd31f1DZpq9hybbVO

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

h3qo

Decoy

dhflow.com

jyindex.com

ezcleanhandle.com

trungtamcongdong.online

simsprotectionagency.com

easylivemeet.com

blackvikingfashionhouse.com

52banxue.com

girlsinit.com

drhemo.com

freethefarmers.com

velvetrosephotography.com

geometricbotaniclas.com

skyandspirit.com

deltacomunicacao.com

mucademy.com

jaboilfieldsolutions.net

howtowinatblackjacknow.com

anytimegrowth.com

simranluthra.com

Targets

    • Target

      P.O-48452689535945.exe

    • Size

      521KB

    • MD5

      579c372392d600a9ef621ae4c1f7341a

    • SHA1

      e4fb160d99727aa5ffee784c9a5f52f6581704ee

    • SHA256

      f564f410274ccf48d4513984d1da95edefa874a555f5e7d95fae7f9cc1f46b6b

    • SHA512

      1c744f5d9b4bb04e0ed84bc66ad6a4970e2ff18da28a4c2b9910683821c6fe43ad585e22c56fbb26e1c0db547c7e58d432ffb9c1186da81b47c7f13e7335755f

    • SSDEEP

      6144:0uq2lrmbYS9j7tCiyEKAm63z9EZgVY+RQbwesfqFi/mpZ5bjf9VAZUUryjzbi:0WCbYQjoiuM3J0CyFzxVAZnreXi

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Beds Protector Packer

      Detects Beds Protector packer used to load .NET malware.

    • Xloader payload

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks