Overview

overview

10

Static

static

factura.exe

windows7_x64

10

factura.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    factura.r11

  • Size

    491KB

  • Sample

    211023-b1llnsffe3

  • MD5

    9f2c6a434ce5af8fd2a0a75a8c39bf3e

  • SHA1

    68dcef491633987afdb1dbfb8359cac30ba7be45

  • SHA256

    497c4b0121e59a1fdeb370b38acf6d33f846a399ed3bdc47f51a230e1c198a25

  • SHA512

    bd27288fe1ca29f1751b9d1b8642b02587a742af9cb4818b7a177ccf7911142808c1a3f945b0bf914ebb3f1e8f63b138650647b7f81e11eeaadbc16cc4322780

Score
10/10
formbookxloadersnecloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

snec

C2

http://www.go2payme.com/snec/

Decoy

sacramentoscoop.com

auroraeqp.com

ontactfactory.com

abenakigroup.com

xander-tech.com

cocaineislegal.com

carbondouze.com

louisvilleestatelawyer.com

sundaytejero.quest

arti-faqs.com

thisandthat.store

biodyne-el-salvador.com

18504seheritageoakslane.com

mfialias.xyz

whitestoneclo.com

6288117.com

oficiosuy.com

autogift.xyz

wallbabyshell.com

chaletlabaie.com

Targets

    • Target

      factura.exe

    • Size

      684KB

    • MD5

      7c6766218c6f18eb3f8be7391e8e62cc

    • SHA1

      9cddeb0d7aa5e7206cd2b0a34c924ee5eb81ebe3

    • SHA256

      2edd9500d065d10587fcb4f5551095e420c40f3bc5e406dd74bf23f954e01ada

    • SHA512

      1da399c56670c79e725ebebb49f7c78cefeb652fea089f5e5961bce38803b4f687b04b09e7ea92bc13f1e23abee8b97a8f11f8d6bf76b2e0355380e1f224531f

    Score
    10/10
    formbookxloadersnecloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks