HTK TT600202109300860048866 Payment Proof.pdf.exe

General
Target

HTK TT600202109300860048866 Payment Proof.pdf.exe

Size

461KB

Sample

211021-pkcwgsacd6

Score
10 /10
MD5

f12bf73a1cb81b5ddd8dd6ed66e610f1

SHA1

cb8b0497c95512bf9233823f7d20937424c87207

SHA256

6446736e3662120e1fe4c3518bc8e6d14553f6b0b27aaf1fc5676e1f73a50c33

SHA512

385c4de5deca014f7486f802efc9a305e2bd2c457a21b63f66bf6f3caef1acee6537f32c7cd4690ee0378939dfad4444abb832c31fb5b5cfcb5bf7ae86715bad

Malware Config

Extracted

Family xloader
Version 2.5
Campaign euzn
C2

http://www.heser.net/euzn/

Decoy

235296tyc.com

gold12guide.art

baibuaherb.com

weberwines.tax

chezvitoria.com

aidenb.tech

pitchdeckservice.com

surgeryforfdf.xyz

workunvaccinated.com

hrtaro.com

yourotcs.com

sonimultispecialityclinic.com

consultantadvisors.com

pentesting-consulting.com

dantechs.digital

longshifa.online

taweilai.net

imyusuke.com

cashndashfinancial.com

fasiglimt.quest

jakital.com

graywolfdesign.com

pepeavatar.com

predixlogisticscourier.com

football-transfer-news.pro

herbalmedication.xyz

esd66.com

janesgalant.quest

abcrefreshments.com

chaoxy.com

rediscoveringyouhealing.com

mcrjadr5.xyz

n4sins.com

faithful-presence.com

013yu.xyz

isystemslanka.com

newbeautydk.com

ethiopia-info.com

hgaffiliates.net

anodynemedicalmassage.com

esohgroup.com

clinicamonicabarros.com

rafathecook.com

londonescort.xyz

dreamites.com

webtiyan.com

cnnautorepair.com

soposhshop.com

aarohaninsight2021.com

arceprojects.com

Targets
Target

HTK TT600202109300860048866 Payment Proof.pdf.exe

MD5

f12bf73a1cb81b5ddd8dd6ed66e610f1

Filesize

461KB

Score
10/10
SHA1

cb8b0497c95512bf9233823f7d20937424c87207

SHA256

6446736e3662120e1fe4c3518bc8e6d14553f6b0b27aaf1fc5676e1f73a50c33

SHA512

385c4de5deca014f7486f802efc9a305e2bd2c457a21b63f66bf6f3caef1acee6537f32c7cd4690ee0378939dfad4444abb832c31fb5b5cfcb5bf7ae86715bad

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • Registers COM server for autorun

    Tags

    TTPs

    Registry Run Keys / Startup Folder
  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • Xloader Payload

    Tags

  • Adds policy Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Blocklisted process makes network request

  • Executes dropped EXE

  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Deletes itself

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Exfiltration
      Impact
        Initial Access
          Lateral Movement
            Privilege Escalation