triage_dropped_file

General
Target

triage_dropped_file

Size

253KB

Sample

211021-pj5j4sacd5

Score
10 /10
MD5

d0e4c13e6c8ba9fe34d86b554b595d9a

SHA1

83eee2dbe00ae265af9eb13105dc1068b6b034cd

SHA256

f8d9fbcef6907460baa7c91e53d1a40865901bb50906b5519cba440fdbc65032

SHA512

72f5fcd367c0f0fdc83827bea529f84a85ace28550a5cd8102cb0cde2829d81defe312fb0d95d3c5a8e8728f4efd8cb433bfab0b3e1f265fffdc4e0ad687247d

Malware Config

Extracted

Family xloader
Version 2.5
Campaign kqna
C2

http://www.surfsolutions.info/kqna/

Decoy

achyutlifesciences.com

anthemmg.com

netkopat.com

generationgirlnaturals.com

novatel-network.com

craftstockco.com

thevishantiverse.art

elkerfly.com

haerotechs.com

candypalette.com

gregdokes.com

e-commerce.company

gratitudeland.com

companyintelcloud.com

publicyazilim.com

xc6811.com

aracsozluk.com

janesgalant.quest

fraserstephendop.com

ryan.rentals

wyse-solutions.com

reddishslouqb.xyz

rukygua.xyz

unlimitedrehab.com

fundafes.com

goodoffice.online

guserq.com

tigerstarmatka.com

ganleychevybuyscars.com

murrayforcongress.com

artistandfund.com

integritynotarial.com

cantomarbait.com

alifdanismanlik.com

meggisiegert.com

high-clicks3.com

xn--schwche-8wa.com

caffeiny.com

landsoftexasranchland.com

armmapp.com

cursosminharendaextra.com

globalmarineserv.com

lowestfars.com

finlayo.com

hautlescoeurscollection.com

cyclesforyou.com

bagwashs.com

medicaltrust-sd.com

passivemen.com

midatlanticbath.com

Targets
Target

triage_dropped_file

MD5

d0e4c13e6c8ba9fe34d86b554b595d9a

Filesize

253KB

Score
10/10
SHA1

83eee2dbe00ae265af9eb13105dc1068b6b034cd

SHA256

f8d9fbcef6907460baa7c91e53d1a40865901bb50906b5519cba440fdbc65032

SHA512

72f5fcd367c0f0fdc83827bea529f84a85ace28550a5cd8102cb0cde2829d81defe312fb0d95d3c5a8e8728f4efd8cb433bfab0b3e1f265fffdc4e0ad687247d

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • Registers COM server for autorun

    Tags

    TTPs

    Registry Run Keys / Startup Folder
  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • Xloader Payload

    Tags

  • Adds policy Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Executes dropped EXE

  • Deletes itself

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Exfiltration
      Impact
        Initial Access
          Lateral Movement
            Privilege Escalation