Overview

overview

10

Static

static

Payment Co...on.exe

windows7_x64

10

Payment Co...on.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Payment Confirmation.zip

  • Size

    649KB

  • Sample

    210818-amff7xpkl6

  • MD5

    8639997fe4cee3a590cf542a44812e9d

  • SHA1

    e83afc7890a541a5d88b5b0d6ff553e4f0cc877f

  • SHA256

    92d6672e0e1cded3710dea633a3689a678a7e01e97b01e6029ce406b15d70a04

  • SHA512

    69b5f8c760f085d515a42e701902efb671c90af6d8dcc6df112d0a631ca727d7ab585b23abb9ddb93733cee68b7d59d81b32c710da272d14078fd6bcf9bf6a47

Score
10/10
formbookxloaderubqkloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ubqk

C2

http://www.fireescapebk.com/ubqk/

Decoy

thewanderers.info

nowthinasten.com

salesnewage.com

fzgjx.club

transformationcamp.net

thewaltongroup30a.com

bitdoubler.info

elveronac.com

tabupolitico.com

thecureisweed.com

collegesupermatch.com

bbluedotpanowd.com

joakimrexperience.com

philorise.com

beelippy.com

glitchedcode.com

northwoodsremodeling.com

healrrr.com

precisadiagnostics.com

1crude.com

Targets

    • Target

      Payment Confirmation.exe

    • Size

      867KB

    • MD5

      fbc0a38898145f58ec52b75a6a0d4f58

    • SHA1

      0e1b7baa19c708aada04ebe148575996eb5ee7cb

    • SHA256

      7e99dc28bcc8be32fb1477bc6b67da52d67195e1e9ebc9612118a9e180675af7

    • SHA512

      19dc73d78176cae92fa3e6223107a965e72cd54b26ce69cb47b4bc696e67afae4d9a35a927cd75d7df583bf062b5fa129c7d49bf3e565e26167633c91085107a

    Score
    10/10
    xloaderubqkloaderratformbookpersistencespywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks