General
-
Target
3ef3975ab4bec816856ba408bf411af95a0be60796e7e80073a35e917fe70140
-
Size
567KB
-
Sample
241121-yy81hswpex
-
MD5
e922be2518a41d6b2c4d820f5e4280d3
-
SHA1
a5e1ea67cee1e56bf99b70ba7e083c72114a17d7
-
SHA256
3ef3975ab4bec816856ba408bf411af95a0be60796e7e80073a35e917fe70140
-
SHA512
2bc8072bd2050244fd0ff72e1a9b7670127fcf3566bfc8417de26dd87b2e3b533a0cb621414c0bff0f38ed30da717440f3a59d402812d45c6970aa2d762d5f6c
-
SSDEEP
12288:62Tco/pGwmyQ+o9tw3C3eOkTQ0Yif0Tq770vojv:62TcSIf9CeeOkTQ2f0e77/jv
Malware Config
Extracted
xloader
2.6
ouvk
poker-star-top-casino.net
acinstallationamc.services
flashtte.com
le0hp8.xyz
christinasharpe.com
ligeria-production.net
bijiuche.com
cabolinansthingsandmore.com
rabbids-party-of-legends.com
governmentsscheme.com
weboughtavideostore.com
qrongsaid.com
audiodobyps5.com
laononggushi.com
piauipet.store
krav61.xyz
cownedes.com
okhuk.com
gsy56.com
fotografia360.agency
Targets
-
-
Target
Shipping Documents.exe
-
Size
691KB
-
MD5
57b685ccd486b411372b78b6e9705463
-
SHA1
7e4a97376af2c523b17c6bb5002dd9663cb74ba5
-
SHA256
4427d66aaf3710031c5545a66e249213b3196045c260bacc730f4298f32b9e39
-
SHA512
b9e1fd770f4a87f7f7a4d7d7cc9574ab0934f7d0baac9c985a018b9b3a9b28316733eed1e56c8fad6eff78cc6e5c0aa303d05ad1fee9fa7ca8405fbff085fa7e
-
SSDEEP
12288:aYn11R/5PQ6naUEQOYptwzC3EOO7QcUYfgzqnZuvkjg:nPFV7pgeEOO7Qufg+nZnj
Score10/10-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader family
-
Xloader payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1