Overview

overview

10

Static

static

1

Siam- PO019-021.exe

windows7_x64

10

Siam- PO019-021.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e1d85bbe872f0e8fe976b1ea8d9a526b

  • Size

    238KB

  • Sample

    211019-e6lqeagbbq

  • MD5

    e1d85bbe872f0e8fe976b1ea8d9a526b

  • SHA1

    c653b299e75a9905429a9c2f9ef4f9de411ad469

  • SHA256

    a200d8d842c5a05f5e9ac89f24adbebbf62343c69e516abe4a257713cc09866e

  • SHA512

    f54d9a169d9c2cadff9f551c1ce173e81ba7793c0866d681960daedc3b3e3c72ea5e389a9c83d868876960ba3e83de2b6610d71d749f066464ea66147378d7a7

Score
10/10
formbookxloaderw240loaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

w240

C2

http://www.palisadesburgers.com/w240/

Decoy

deathgummys.com

accentuable.info

logisticairpetrelocators.com

playdropmats.com

ewshop.club

bislists.com

pkkjoo.net

goldenkaktus.com

bigspiderproductions.com

funessences.com

gimpydogproductions.com

motivatedmarketinggroup.com

bjadd.com

2ux3ms.com

zafzi.com

oldmanemailplan.xyz

quotexlibya.com

mobco.store

stofferogbo.kim

akidsguidetotheworld.com

Targets

    • Target

      Siam- PO019-021.exe

    • Size

      252KB

    • MD5

      cdd5b0078abe46c33fec9ca31022cbdb

    • SHA1

      6a55b482eab522e4c70d5f588573687b73444a84

    • SHA256

      b207cf6e0fe84692f4311e2768d913bae8005da5f7ed4cf1cee2459a6f62faa9

    • SHA512

      0c7c64b023e51e638334ec05e2b24e179153563ddaae81f392da9e6e5cf93211125e6837c86bb6b964f9a0db4e46fa975e9acfe5b46f8346b26df887de8f5bce

    Score
    10/10
    formbookxloaderw240loaderpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks