Overview

overview

10

Static

static

t0ID2yWRERNRIz4.exe

windows7_x64

10

t0ID2yWRERNRIz4.exe

windows10_x64

10

Resubmissions

27-09-2021 07:53

210927-jq1a3sfhfj 10

20-09-2021 04:19

210920-exhmdsfdhr 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    t0ID2yWRERNRIz4.exe

  • Size

    818KB

  • Sample

    210927-jq1a3sfhfj

  • MD5

    2fa809111f6953a10bcae39ef3f57aa7

  • SHA1

    9415a9c252e39776162749c9131d96274cd6cac9

  • SHA256

    7b4c1bf9a15a419080fe02866aa26f162f79d5e01763c6af5915b07988556223

  • SHA512

    adb6b340237a62af5fced4c819bfa92317e15a4062dab379d97a1b2ecd9e5ace9fca9330872f7d4f01c2a0b96035d9a69a376d7f7c812fece8584326447933b9

Score
10/10
formbookxloadergjehloaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

gjeh

C2

http://www.getaudionow.com/gjeh/

Decoy

carmator.com

bsbqrp.com

siemens-mp.com

dunnfloorcoverings.com

cpassminimedicalschools.info

howtodesignyourhomeoffice.com

famliytaste.com

freesocialmarketing.com

jejuhaenyeo.net

tradebot.icu

arzug.com

carrefour-solucoes.online

ladyom.com

aoironote.com

newmexicocarwreckattorney.com

wealthpatternsllc.net

thinkpinkalicous.com

prajapati.company

bjhwky.com

jsdigitalekuns.com

Targets

    • Target

      t0ID2yWRERNRIz4.exe

    • Size

      818KB

    • MD5

      2fa809111f6953a10bcae39ef3f57aa7

    • SHA1

      9415a9c252e39776162749c9131d96274cd6cac9

    • SHA256

      7b4c1bf9a15a419080fe02866aa26f162f79d5e01763c6af5915b07988556223

    • SHA512

      adb6b340237a62af5fced4c819bfa92317e15a4062dab379d97a1b2ecd9e5ace9fca9330872f7d4f01c2a0b96035d9a69a376d7f7c812fece8584326447933b9

    Score
    10/10
    formbookxloadergjehloaderpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks