Overview

overview

10

Static

static

DOC0917823...22.exe

windows7_x64

10

DOC0917823...22.exe

windows10_x64

10

Resubmissions

24-09-2021 07:32

210924-jc4fksgccn 10

23-09-2021 22:36

210923-2jg52afcfp 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DOC09178236_20210922.cab

  • Size

    552KB

  • Sample

    210924-jc4fksgccn

  • MD5

    02d6a3b0f8437d346e9ac47c6e3c30db

  • SHA1

    6185990c7684ff45314341d2e8755bb165533308

  • SHA256

    a731201c494158fd9f3b137b67db02ad541ff8faff0f4b26d66d5234027abb60

  • SHA512

    f19c3652089ae32df42e1b2a04a0b6c56054c03d2c7997e9a81f5eb7f645ee9d64036e70e654086519d1dc200ae126a7877e0033d9568ab408be440d95e90373

Score
10/10
formbookxloaderohi3loaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ohi3

C2

http://www.cctassetmanagement.com/ohi3/

Decoy

itaewonbrunchbar.com

spectrosam.com

vanita-bavaria.net

kovrikydoma.store

tilthespire.com

aichuanghuan.com

healingyourbodynaturally.com

1790thirdavenue.com

zollogistics.com

inden-shop.com

fmhra.online

blenbigs.com

ofedward.com

efootball2021-eventpesmob.com

sutas-tr.com

ampersandcraftsuk.com

roofingcompaniestampa247.com

whwkjmhy4f.com

gngifts.com

bellezamarket.store

Targets

    • Target

      DOC09178236_20210922.exe

    • Size

      734KB

    • MD5

      38cb740b60d846d2a14a49021a10e164

    • SHA1

      6d1b170fb830773cb750944938f2ada14499fd07

    • SHA256

      d27692420e58cdd646e9a5bd19618387395ee4bc63d10bbe14fe3548e4546889

    • SHA512

      4a4a8f86e7fe559771d401766b4df2f9e194f670222156330f150d72677b92b353d27d8ab43aadd0facae1babc3603bf78bb6e714be559cd9e56294384bbc1ce

    Score
    10/10
    xloaderohi3loaderpersistenceratspywarestealersuricataformbooktrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks