Overview

overview

10

Static

static

Order 1429.exe

windows7_x64

10

Order 1429.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Order 1429.r00

  • Size

    358KB

  • Sample

    211021-adl39ahfg4

  • MD5

    c28e724a6cda8952026d6f5fe58cbca0

  • SHA1

    c71162284eccbbd7ad89ad5dc09e76417da64a37

  • SHA256

    3ff80b285092209abdbf24c2cba2edd443aacc91ad293d83cb63b12a9bf851d7

  • SHA512

    68b39585ec5ae502e32b09601754aa4d640d41906b4c3f4d528431818661866886d0420affbab4e67c59d89cf944800fcb9f320056b32e8b93749a231a48c17b

Score
10/10
formbookxloadersnecloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

snec

C2

http://www.go2payme.com/snec/

Decoy

sacramentoscoop.com

auroraeqp.com

ontactfactory.com

abenakigroup.com

xander-tech.com

cocaineislegal.com

carbondouze.com

louisvilleestatelawyer.com

sundaytejero.quest

arti-faqs.com

thisandthat.store

biodyne-el-salvador.com

18504seheritageoakslane.com

mfialias.xyz

whitestoneclo.com

6288117.com

oficiosuy.com

autogift.xyz

wallbabyshell.com

chaletlabaie.com

Targets

    • Target

      Order 1429.exe

    • Size

      414KB

    • MD5

      b81fd6b263fc1617a21290a475e292e1

    • SHA1

      789e25a0b2322b0e9721007786ec41316586a827

    • SHA256

      720f9b3a1b8c9d8ea1eb23845f3fa508a9f5d06da878360ffd8ec608869c3398

    • SHA512

      2131135ae25dd47153e39b6cd924737ad0e41f12dc40569c982660072635613f72e503420018c1a2649c37cff9dac35c1f249a243e5c6cdadc926160c440927d

    Score
    10/10
    xloadersnecloaderratformbookpersistencespywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks