General

  • Target

    cd345e01247d238120214ea6f636e688fa5b15f37454ff6566bf1ddd77f471be

  • Size

    286KB

  • Sample

    241121-zdsngaxlgz

  • MD5

    0c45d32e3440162217fc6dd317d3651a

  • SHA1

    6b58afced8635473f4f0c388b0c131fca1df13a9

  • SHA256

    cd345e01247d238120214ea6f636e688fa5b15f37454ff6566bf1ddd77f471be

  • SHA512

    a56a59b032ccaaeb8d6a424837ca06662c14eb549ce3cf3aca9ad55596edc15d99129d4697e282e15bfed9a3799fb24fce1231051f2ae3b9bfaa91df856c9173

  • SSDEEP

    6144:7mzEWuiIAhA/ugmcbCJiC0+cpRbWO76kxpsHvk5qu7EtV8:S1IWehsVIWO7XGU08

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

qatv

Decoy

sexycurvycool.com

webundefinedstaging.website

gaspeehaze.com

adomnaturals.com

best10canadianreviews.info

nikekogan.com

5537sbishop.info

khonnaisoi.com

cures8t.com

garthoaks.com

belvederepharmagroup.com

chivo.plus

qishanlin.top

ccjon1.com

biz-financeagency.com

bdqimeng88.top

3-little-pigs.com

ord13route.art

webku-trial.xyz

ncgf28.xyz

Targets

    • Target

      f44d75390275e2f15ea0111de765cdaede7436331101363ba1db17b74f8cd88e

    • Size

      864KB

    • MD5

      fe330e62ee592637466d5def2358afa8

    • SHA1

      62bb2ec1f62e38b9c2605ba661b85ac10cddefe0

    • SHA256

      f44d75390275e2f15ea0111de765cdaede7436331101363ba1db17b74f8cd88e

    • SHA512

      ba59ac6e0070aae34b5cc98b6ba041f21fbbb52cd2e4551bc30a0570aa48175abb2c2aef14886bfc54128d080558e5dfd20f8800f572d7286dfa242c7032a9d2

    • SSDEEP

      6144:Wz3WauGXbuv9ShKeCasIsqo13lmV1+4McaFkJK0zaG5GRJ3t8:Xa7Luv9ShbCaB9o3mvX3aFcae

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Vjw0rm family

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader family

    • Xloader payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks