INVOICE.rar

General
Target

INVOICE.exe

Filesize

1MB

Completed

24-09-2021 15:04

Score
10 /10
MD5

3e0b369f71d263bd0918bfce2b1873c3

SHA1

0919aa900e50b290cc90426537ec25a9c44496b0

SHA256

c10f872ac7d56c5c8d5151eb8d5c3aba275f83bd55700c0dc38776a04b275175

Malware Config

Extracted

Family xloader
Version 2.5
Campaign m6rs
C2

http://www.litediv.com/m6rs/

Decoy

globalsovereignbank.com

ktnrape.xyz

churchybulletin.com

ddyla.com

imatge.cat

iwholesalestore.com

cultivapro.club

ibcfcl.com

refurbisheddildo.com

killerinktnpasumo4.xyz

mdphotoart.com

smi-ity.com

stanprolearningcenter.com

companyintelapp.com

tacticarc.com

soolls.com

gra68.net

cedricettori.digital

mossobuy.com

way2liv.com

j9b.xyz

bmfgi.com

gargantua-traiteur.com

tavolabread.com

neoplus-create.com

tracks-clicks.com

santsp.com

tokusa-f.com

yardparx.online

seinvestments-sg.com

elegantbrushes.net

restaurantemachupicchu.com

ha0313.com

dock7rods.com

emphatictrifles.com

onefunline.top

caulsshop.com

kittyol.com

thehealthyheifer.net

plotmyplot.com

leewaysvcs.com

eur86.com

lightsinwall.com

jiankangkyw.com

travilent.com

dvaccounts.com

wittyon.com

tommywoodenski.com

dividendoylibertad.com

aqscksw.com

Signatures 20

Filter: none

Collection
Credential Access
Defense Evasion
Persistence
  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/796-59-0x0000000000400000-0x0000000000429000-memory.dmpxloader
    behavioral1/memory/796-60-0x000000000041D3D0-mapping.dmpxloader
    behavioral1/memory/848-67-0x00000000001D0000-0x00000000001F9000-memory.dmpxloader
  • Executes dropped EXE
    igfxrfftq.exe

    Reported IOCs

    pidprocess
    1832igfxrfftq.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    1836cmd.exe
  • Loads dropped DLL
    WerFault.exe

    Reported IOCs

    pidprocess
    1504WerFault.exe
    1504WerFault.exe
    1504WerFault.exe
    1504WerFault.exe
    1504WerFault.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    wscript.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Runwscript.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KPUD5TBPDLH = "C:\\Program Files (x86)\\Njvxpnpxh\\igfxrfftq.exe"wscript.exe
  • Suspicious use of SetThreadContext
    INVOICE.exeINVOICE.exewscript.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1540 set thread context of 7961540INVOICE.exeINVOICE.exe
    PID 796 set thread context of 1356796INVOICE.exeExplorer.EXE
    PID 848 set thread context of 1356848wscript.exeExplorer.EXE
  • Drops file in Program Files directory
    wscript.exeExplorer.EXE

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\Njvxpnpxh\igfxrfftq.exewscript.exe
    File createdC:\Program Files (x86)\Njvxpnpxh\igfxrfftq.exeExplorer.EXE
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    15041832WerFault.exeigfxrfftq.exe
  • Modifies Internet Explorer settings
    wscript.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\Registry\User\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2wscript.exe
  • Suspicious behavior: EnumeratesProcesses
    INVOICE.exewscript.exeWerFault.exe

    Reported IOCs

    pidprocess
    796INVOICE.exe
    796INVOICE.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    1504WerFault.exe
    1504WerFault.exe
    1504WerFault.exe
    1504WerFault.exe
    1504WerFault.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
  • Suspicious behavior: GetForegroundWindowSpam
    Explorer.EXE

    Reported IOCs

    pidprocess
    1356Explorer.EXE
  • Suspicious behavior: MapViewOfSection
    INVOICE.exewscript.exe

    Reported IOCs

    pidprocess
    796INVOICE.exe
    796INVOICE.exe
    796INVOICE.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
    848wscript.exe
  • Suspicious use of AdjustPrivilegeToken
    INVOICE.exewscript.exeExplorer.EXEWerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege796INVOICE.exe
    Token: SeDebugPrivilege848wscript.exe
    Token: SeShutdownPrivilege1356Explorer.EXE
    Token: SeDebugPrivilege1504WerFault.exe
    Token: SeShutdownPrivilege1356Explorer.EXE
  • Suspicious use of FindShellTrayWindow
    Explorer.EXE

    Reported IOCs

    pidprocess
    1356Explorer.EXE
    1356Explorer.EXE
    1356Explorer.EXE
    1356Explorer.EXE
  • Suspicious use of SendNotifyMessage
    Explorer.EXE

    Reported IOCs

    pidprocess
    1356Explorer.EXE
    1356Explorer.EXE
  • Suspicious use of WriteProcessMemory
    INVOICE.exeExplorer.EXEwscript.exeigfxrfftq.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1540 wrote to memory of 7961540INVOICE.exeINVOICE.exe
    PID 1540 wrote to memory of 7961540INVOICE.exeINVOICE.exe
    PID 1540 wrote to memory of 7961540INVOICE.exeINVOICE.exe
    PID 1540 wrote to memory of 7961540INVOICE.exeINVOICE.exe
    PID 1540 wrote to memory of 7961540INVOICE.exeINVOICE.exe
    PID 1540 wrote to memory of 7961540INVOICE.exeINVOICE.exe
    PID 1540 wrote to memory of 7961540INVOICE.exeINVOICE.exe
    PID 1356 wrote to memory of 8481356Explorer.EXEwscript.exe
    PID 1356 wrote to memory of 8481356Explorer.EXEwscript.exe
    PID 1356 wrote to memory of 8481356Explorer.EXEwscript.exe
    PID 1356 wrote to memory of 8481356Explorer.EXEwscript.exe
    PID 848 wrote to memory of 1836848wscript.execmd.exe
    PID 848 wrote to memory of 1836848wscript.execmd.exe
    PID 848 wrote to memory of 1836848wscript.execmd.exe
    PID 848 wrote to memory of 1836848wscript.execmd.exe
    PID 848 wrote to memory of 1624848wscript.exeFirefox.exe
    PID 848 wrote to memory of 1624848wscript.exeFirefox.exe
    PID 848 wrote to memory of 1624848wscript.exeFirefox.exe
    PID 848 wrote to memory of 1624848wscript.exeFirefox.exe
    PID 848 wrote to memory of 1624848wscript.exeFirefox.exe
    PID 1356 wrote to memory of 18321356Explorer.EXEigfxrfftq.exe
    PID 1356 wrote to memory of 18321356Explorer.EXEigfxrfftq.exe
    PID 1356 wrote to memory of 18321356Explorer.EXEigfxrfftq.exe
    PID 1356 wrote to memory of 18321356Explorer.EXEigfxrfftq.exe
    PID 1832 wrote to memory of 15041832igfxrfftq.exeWerFault.exe
    PID 1832 wrote to memory of 15041832igfxrfftq.exeWerFault.exe
    PID 1832 wrote to memory of 15041832igfxrfftq.exeWerFault.exe
    PID 1832 wrote to memory of 15041832igfxrfftq.exeWerFault.exe
Processes 8
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Drops file in Program Files directory
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:1356
    • C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
      "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
        "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:796
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:848
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
        Deletes itself
        PID:1836
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        PID:1624
    • C:\Program Files (x86)\Njvxpnpxh\igfxrfftq.exe
      "C:\Program Files (x86)\Njvxpnpxh\igfxrfftq.exe"
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1832
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 664
        Loads dropped DLL
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:1504
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Program Files (x86)\Njvxpnpxh\igfxrfftq.exe

                    MD5

                    b0820366e32e612b669ca9c519dc15f6

                    SHA1

                    b7fa7894ded1ae80f2f58b5269d460c4b6729d2e

                    SHA256

                    15cc7b4992ee6bc7986aadb9fccd3ebf5aa2d50f8fff7920985bacbe9b0eafeb

                    SHA512

                    fd9e2237d0d0c26a5c8aa14f19ce6ecc4b131229eacb0a3a73ff450a97aaf1350a2a27407f00db9f0ae1ad4a235e68645043bc6a47d4e814c9f022a4d56d8de4

                  • C:\Program Files (x86)\Njvxpnpxh\igfxrfftq.exe

                    MD5

                    b0820366e32e612b669ca9c519dc15f6

                    SHA1

                    b7fa7894ded1ae80f2f58b5269d460c4b6729d2e

                    SHA256

                    15cc7b4992ee6bc7986aadb9fccd3ebf5aa2d50f8fff7920985bacbe9b0eafeb

                    SHA512

                    fd9e2237d0d0c26a5c8aa14f19ce6ecc4b131229eacb0a3a73ff450a97aaf1350a2a27407f00db9f0ae1ad4a235e68645043bc6a47d4e814c9f022a4d56d8de4

                  • \Program Files (x86)\Njvxpnpxh\igfxrfftq.exe

                    MD5

                    b0820366e32e612b669ca9c519dc15f6

                    SHA1

                    b7fa7894ded1ae80f2f58b5269d460c4b6729d2e

                    SHA256

                    15cc7b4992ee6bc7986aadb9fccd3ebf5aa2d50f8fff7920985bacbe9b0eafeb

                    SHA512

                    fd9e2237d0d0c26a5c8aa14f19ce6ecc4b131229eacb0a3a73ff450a97aaf1350a2a27407f00db9f0ae1ad4a235e68645043bc6a47d4e814c9f022a4d56d8de4

                  • \Program Files (x86)\Njvxpnpxh\igfxrfftq.exe

                    MD5

                    b0820366e32e612b669ca9c519dc15f6

                    SHA1

                    b7fa7894ded1ae80f2f58b5269d460c4b6729d2e

                    SHA256

                    15cc7b4992ee6bc7986aadb9fccd3ebf5aa2d50f8fff7920985bacbe9b0eafeb

                    SHA512

                    fd9e2237d0d0c26a5c8aa14f19ce6ecc4b131229eacb0a3a73ff450a97aaf1350a2a27407f00db9f0ae1ad4a235e68645043bc6a47d4e814c9f022a4d56d8de4

                  • \Program Files (x86)\Njvxpnpxh\igfxrfftq.exe

                    MD5

                    b0820366e32e612b669ca9c519dc15f6

                    SHA1

                    b7fa7894ded1ae80f2f58b5269d460c4b6729d2e

                    SHA256

                    15cc7b4992ee6bc7986aadb9fccd3ebf5aa2d50f8fff7920985bacbe9b0eafeb

                    SHA512

                    fd9e2237d0d0c26a5c8aa14f19ce6ecc4b131229eacb0a3a73ff450a97aaf1350a2a27407f00db9f0ae1ad4a235e68645043bc6a47d4e814c9f022a4d56d8de4

                  • \Program Files (x86)\Njvxpnpxh\igfxrfftq.exe

                    MD5

                    b0820366e32e612b669ca9c519dc15f6

                    SHA1

                    b7fa7894ded1ae80f2f58b5269d460c4b6729d2e

                    SHA256

                    15cc7b4992ee6bc7986aadb9fccd3ebf5aa2d50f8fff7920985bacbe9b0eafeb

                    SHA512

                    fd9e2237d0d0c26a5c8aa14f19ce6ecc4b131229eacb0a3a73ff450a97aaf1350a2a27407f00db9f0ae1ad4a235e68645043bc6a47d4e814c9f022a4d56d8de4

                  • \Program Files (x86)\Njvxpnpxh\igfxrfftq.exe

                    MD5

                    b0820366e32e612b669ca9c519dc15f6

                    SHA1

                    b7fa7894ded1ae80f2f58b5269d460c4b6729d2e

                    SHA256

                    15cc7b4992ee6bc7986aadb9fccd3ebf5aa2d50f8fff7920985bacbe9b0eafeb

                    SHA512

                    fd9e2237d0d0c26a5c8aa14f19ce6ecc4b131229eacb0a3a73ff450a97aaf1350a2a27407f00db9f0ae1ad4a235e68645043bc6a47d4e814c9f022a4d56d8de4

                  • memory/796-60-0x000000000041D3D0-mapping.dmp

                  • memory/796-61-0x0000000000800000-0x0000000000B03000-memory.dmp

                  • memory/796-62-0x0000000000200000-0x0000000000211000-memory.dmp

                  • memory/796-59-0x0000000000400000-0x0000000000429000-memory.dmp

                  • memory/848-66-0x00000000008D0000-0x00000000008F6000-memory.dmp

                  • memory/848-70-0x00000000022B0000-0x0000000002340000-memory.dmp

                  • memory/848-67-0x00000000001D0000-0x00000000001F9000-memory.dmp

                  • memory/848-68-0x0000000001E90000-0x0000000002193000-memory.dmp

                  • memory/848-69-0x0000000075A71000-0x0000000075A73000-memory.dmp

                  • memory/848-64-0x0000000000000000-mapping.dmp

                  • memory/1356-63-0x0000000006AD0000-0x0000000006C08000-memory.dmp

                  • memory/1356-71-0x0000000006480000-0x00000000065DD000-memory.dmp

                  • memory/1504-83-0x0000000000000000-mapping.dmp

                  • memory/1504-89-0x0000000000370000-0x00000000003D0000-memory.dmp

                  • memory/1540-58-0x0000000000740000-0x0000000000772000-memory.dmp

                  • memory/1540-55-0x00000000003C0000-0x00000000003C1000-memory.dmp

                  • memory/1540-56-0x0000000000400000-0x0000000000407000-memory.dmp

                  • memory/1540-57-0x00000000057C0000-0x0000000005821000-memory.dmp

                  • memory/1540-53-0x0000000001180000-0x0000000001181000-memory.dmp

                  • memory/1624-78-0x000000013F360000-0x000000013F3F3000-memory.dmp

                  • memory/1624-80-0x00000000024D0000-0x000000000260A000-memory.dmp

                  • memory/1624-72-0x0000000000000000-mapping.dmp

                  • memory/1832-82-0x0000000005150000-0x00000000051B1000-memory.dmp

                  • memory/1832-81-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

                  • memory/1832-76-0x0000000001000000-0x0000000001001000-memory.dmp

                  • memory/1832-73-0x0000000000000000-mapping.dmp

                  • memory/1836-65-0x0000000000000000-mapping.dmp