Overview

overview

10

Static

static

1e24e03e9f...d3.exe

windows7_x64

10

1e24e03e9f...d3.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1e24e03e9ffdbe39ca8d357d0130aff5c50f2ddd7b2f613ab9dc01f02d0527d3.exe

  • Size

    983KB

  • Sample

    211016-q9pr1scad4

  • MD5

    a514e1b9b6a313f06456520f1881c9a4

  • SHA1

    fa44250d46dc70d4a3061a6174d697245411fc05

  • SHA256

    1e24e03e9ffdbe39ca8d357d0130aff5c50f2ddd7b2f613ab9dc01f02d0527d3

  • SHA512

    1418aee3c4047d583dc7a2fd8993ddb25bba96ad280fd86f1c89d41dc9c4da65bbda5cb7f4dbff56dff9bdc651d98922f508408e6b8f746b6164a2b2fde3975a

Score
10/10
formbookxloadergebgloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

gebg

C2

http://www.familia19.online/gebg/

Decoy

advtaisviana.com

funtheratees.com

designerauthenticator.com

camporequerido.com

lotsixteenfoundation.com

mexico-datacenter.com

darkromancereviews.com

huaguimei.com

shopdirectpro.com

integral-omit.com

translationers.com

noriaki0357.com

braincussionuniversity.com

votifyme.net

brightsandstudios.net

tra4fficsearchtabspace.rest

cataracte-marseille.com

liangyuwang.com

passhineanddine.com

sunnysikka.com

Targets

    • Target

      1e24e03e9ffdbe39ca8d357d0130aff5c50f2ddd7b2f613ab9dc01f02d0527d3.exe

    • Size

      983KB

    • MD5

      a514e1b9b6a313f06456520f1881c9a4

    • SHA1

      fa44250d46dc70d4a3061a6174d697245411fc05

    • SHA256

      1e24e03e9ffdbe39ca8d357d0130aff5c50f2ddd7b2f613ab9dc01f02d0527d3

    • SHA512

      1418aee3c4047d583dc7a2fd8993ddb25bba96ad280fd86f1c89d41dc9c4da65bbda5cb7f4dbff56dff9bdc651d98922f508408e6b8f746b6164a2b2fde3975a

    Score
    10/10
    xloadergebgloaderpersistenceratformbookspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks