General

  • Target

    5e14cab7735db2f831e80c7b51254405.zip

  • Size

    320KB

  • Sample

    240831-bwzyhaxgpb

  • MD5

    3112f8c72cae61c2945f995eb87280ce

  • SHA1

    a2189b3362cfbf69d67271d55431f0269a105f5a

  • SHA256

    96f22574d2fc98125dd79ca3d2eedf5c4dc572423f60be6d9234f7c7938d365b

  • SHA512

    92915dd4eac279c14eabf857341ebe2bd076e85ac71032069d84c573be8e1c8174a4086d47bd6ac66b355bee495b63c550a4f24eb6dc685629af0462eafd6ac9

  • SSDEEP

    6144:y/lEQ2beIfZ3gi/oWV/OSHt5pihYEOyTeJ2LVnTBqWdwpoXsZuLT6:y//2lZ3noWgSHtngTdhUL+si+

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

p0on

Decoy

milopcoesbr.com

homestyle.online

cannonceramics.com

allycreditunion.com

findoutturkey.com

wingsboxmalta.com

freedomnflow.com

kwresearchfreelancer.com

filomenafashions.com

lilpil.com

extremevids.biz

suenasa.com

voraspices.com

bex-fit.com

gerontis.net

brighton-holidays.com

ginakferguson.store

newmexicochiletrader.com

klauszeit.com

gsareno.com

Targets

    • Target

      b6c03a67716ee57c51bb9b400fe294f2fdc3e996ec1afdeeb820553796c00c31

    • Size

      346KB

    • MD5

      5e14cab7735db2f831e80c7b51254405

    • SHA1

      61957df403a09153c60e1b0789c449fa3786d657

    • SHA256

      b6c03a67716ee57c51bb9b400fe294f2fdc3e996ec1afdeeb820553796c00c31

    • SHA512

      cde0d5e8d673502eb432e4dbc13115be99ad32631b5f6f78517dc176e01e40a0e9f1950d078359a653ce94e3d1feb77990d7ea5fab107298627e29a389253754

    • SSDEEP

      6144:CBFYXmW1WV5kjpzmfxIjdjJ5AuIUvvWkhIFUnLmUjEdPJN6:CsXHEkcGjBXfvvvvYUnNEdPJA

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks