Overview

overview

10

Static

static

1

QUOTATION.exe

windows7_x64

10

QUOTATION.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    QUOTATION.exe

  • Size

    253KB

  • Sample

    211021-q16deaadc7

  • MD5

    cadf879ded4e6a753d7b172b77bce50d

  • SHA1

    ab4f8431c170d75040d8b2984f5e7eadeeeedab9

  • SHA256

    18e91cbaa2d04fa969e97e947ccd011d494f68eb6375b067f0342a7765fb3119

  • SHA512

    c685444886b555978228cd2fb47b0725b25443b8fcd19be70f804a5bf433ebc9a35291ea33edf6fcc9030fcd26a89009a3b223c39432a001842494b20bf5f5d7

Score
10/10
formbookxloaderd6puloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

d6pu

C2

http://www.bonitaspringshomesearch.com/d6pu/

Decoy

ifixcreditatl.com

productgeekout.com

electricvehicle-insurance.com

kuiper.business

cloudenglabs.com

gorbepari.com

collecthappy.com

amykrussell.store

clubhousebusinesscourse.com

aplussinifiklima.com

slewis.design

atticwitt.com

galenota.com

griphook.xyz

gsjbd1.club

bootystrapfitness.com

emflawrhks.com

alternativedata.investments

eyehealthtnpasumo3.xyz

naturanzaec.com

Targets

    • Target

      QUOTATION.exe

    • Size

      253KB

    • MD5

      cadf879ded4e6a753d7b172b77bce50d

    • SHA1

      ab4f8431c170d75040d8b2984f5e7eadeeeedab9

    • SHA256

      18e91cbaa2d04fa969e97e947ccd011d494f68eb6375b067f0342a7765fb3119

    • SHA512

      c685444886b555978228cd2fb47b0725b25443b8fcd19be70f804a5bf433ebc9a35291ea33edf6fcc9030fcd26a89009a3b223c39432a001842494b20bf5f5d7

    Score
    10/10
    formbookxloaderd6puloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks