Resubmissions

27-09-2021 07:15

210927-h3flrsfhdl 10

19-09-2021 16:46

210919-t9ztrsehbn 10

General

  • Target

    truck pictures.exe

  • Size

    634KB

  • Sample

    210927-h3flrsfhdl

  • MD5

    99ed5f72e5742e549a6ec78655fd3cfc

  • SHA1

    31a4f6fc81c45e49f4787cebe622256fa74d8a06

  • SHA256

    5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8

  • SHA512

    45abc2973402ba0ae81b4e708c257c9e8f5fe472b1fdf969766697a5226481764b0bf8d9be8dd99effd47e7556ed0110b48b892c315d850b952ed700ac2f9711

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cuig

C2

http://www.qtih.top/cuig/

Decoy

sofiathinks-elderly.net

lahamicoast.info

2shengman.com

cbsautoplex.com

arcana-candles.com

genrage.com

kukumiou.xyz

thequizerking.com

sonataproductions.com

rebuildgomnmf.xyz

ubcoin.store

yiyouxue.net

firstlifehome.com

mdx-inc.net

gotbn-c01.com

dinobrindes.store

jcm-iso.com

cliente-mais.com

mloujewelry.com

correoversoi.quest

Targets

    • Target

      truck pictures.exe

    • Size

      634KB

    • MD5

      99ed5f72e5742e549a6ec78655fd3cfc

    • SHA1

      31a4f6fc81c45e49f4787cebe622256fa74d8a06

    • SHA256

      5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8

    • SHA512

      45abc2973402ba0ae81b4e708c257c9e8f5fe472b1fdf969766697a5226481764b0bf8d9be8dd99effd47e7556ed0110b48b892c315d850b952ed700ac2f9711

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Xloader Payload

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Deletes itself

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

3
T1112

Tasks