INVOICE.rar

General
Target

INVOICE.rar

Size

567KB

Sample

210924-scx38shcan

Score
10 /10
MD5

f870fae8399a83da4989cd2a4b3cecc7

SHA1

cdaa5c7b2864d3353b84c5e2a97790738b9bdd38

SHA256

c78323831bc77fefdeaa33bd70441e02d7c94f456290a3068f345baaf5fff6cc

SHA512

4abb22e264f30db000f7ddf0eabb13d087af07d83eac0d1f34c0a0f43bd038d587632eae152fa5425b49161f93d7fc655a0a9b83a4f94d3fdadaec3cbd612c63

Malware Config

Extracted

Family xloader
Version 2.5
Campaign m6rs
C2

http://www.litediv.com/m6rs/

Decoy

globalsovereignbank.com

ktnrape.xyz

churchybulletin.com

ddyla.com

imatge.cat

iwholesalestore.com

cultivapro.club

ibcfcl.com

refurbisheddildo.com

killerinktnpasumo4.xyz

mdphotoart.com

smi-ity.com

stanprolearningcenter.com

companyintelapp.com

tacticarc.com

soolls.com

gra68.net

cedricettori.digital

mossobuy.com

way2liv.com

j9b.xyz

bmfgi.com

gargantua-traiteur.com

tavolabread.com

neoplus-create.com

tracks-clicks.com

santsp.com

tokusa-f.com

yardparx.online

seinvestments-sg.com

elegantbrushes.net

restaurantemachupicchu.com

ha0313.com

dock7rods.com

emphatictrifles.com

onefunline.top

caulsshop.com

kittyol.com

thehealthyheifer.net

plotmyplot.com

leewaysvcs.com

eur86.com

lightsinwall.com

jiankangkyw.com

travilent.com

dvaccounts.com

wittyon.com

tommywoodenski.com

dividendoylibertad.com

aqscksw.com

Targets
Target

INVOICE.exe

MD5

3e0b369f71d263bd0918bfce2b1873c3

Filesize

1MB

Score
10 /10
SHA1

0919aa900e50b290cc90426537ec25a9c44496b0

SHA256

c10f872ac7d56c5c8d5151eb8d5c3aba275f83bd55700c0dc38776a04b275175

SHA512

6c5cb90c5519dbaf90b2ca2183d6c48a1cd216eeb1eff02f16d1042cdde5955734c7ea52408e6ec907abb1a5e4c40eca40b9ed830a92315fad4660861e425c3f

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Xloader Payload

    Tags

  • Executes dropped EXE

  • Deletes itself

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation