Overview

overview

10

Static

static

QUOTE PRICE.exe

windows7_x64

10

QUOTE PRICE.exe

windows10_x64

10

Resubmissions

24-09-2021 03:40

210924-d8m6ksffgp 10

24-09-2021 01:13

210924-bldyaafed2 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    QUOTE PRICE.rar

  • Size

    520KB

  • Sample

    210924-d8m6ksffgp

  • MD5

    214aaa4a81664f697fe9df9835797788

  • SHA1

    7c87ad7434bc0ad4b5b8a07b46cb350952243cef

  • SHA256

    ddd4407a9fabbb095399cf7e7ed9d7106b5a8368d61e68ca882a1ebf6a0360a8

  • SHA512

    c7cd58da2034cfb06569905a6b671600d41f0a2dca86239906afa23cf162e88e9ce049761e764a14071cc6d490e5812aa02ca94c97c65733d2ec5147328ff99c

Score
10/10
formbookxloaderm6rsloaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m6rs

C2

http://www.litediv.com/m6rs/

Decoy

globalsovereignbank.com

ktnrape.xyz

churchybulletin.com

ddyla.com

imatge.cat

iwholesalestore.com

cultivapro.club

ibcfcl.com

refurbisheddildo.com

killerinktnpasumo4.xyz

mdphotoart.com

smi-ity.com

stanprolearningcenter.com

companyintelapp.com

tacticarc.com

soolls.com

gra68.net

cedricettori.digital

mossobuy.com

way2liv.com

Targets

    • Target

      QUOTE PRICE.exe

    • Size

      558KB

    • MD5

      3a35017603b428f692151484ad54ded0

    • SHA1

      ac071c363f33e2a28aaffc77e5a34642d8246fe0

    • SHA256

      45f5e2a682896ac3380522e26a0398b8112bafc42948666c9fecafa3dcab69e3

    • SHA512

      6a2c113565aca37d63de00cdd59354400e901bb731d35e53a42951463662374dec5dfb83d109f059b59733abaf3c0f2057a87c22f69b2d738af37b6f19409d8d

    Score
    10/10
    formbookxloaderm6rsloaderpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks