Overview

overview

10

Static

static

ArD5nO3F91myqTV.exe

windows7_x64

10

ArD5nO3F91myqTV.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    IR19_FundTransfer.iso

  • Size

    626KB

  • Sample

    211028-bnemlaghb4

  • MD5

    6962916c6c9d46abc0d3a289ee238b74

  • SHA1

    b001229a1e68e46eda6c24edc2de22f6a4b596cd

  • SHA256

    9d70d9cc946db4cd9cd418ae9c2017a8a7c3e4fd76f65a8bbfed2c4ddf1f0098

  • SHA512

    5095f5729e2a2a0a20a800adcb55d043f88fd831e8a798417222b48ebbcf6823e3c90ae178378a048a08fbdaa61ae1cef94a818c0468dab4a9b6a7420e843bf5

Score
10/10
formbookxloaderk8u7loaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

k8u7

C2

http://www.ardisadr.online/k8u7/

Decoy

ly3389.com

biggergrip.com

guitarbadon.net

zbjiachuang.com

maaratechnology.com

perdiemsuites.com

israel-grahamcoates.com

blackbirdfarmette.com

klhobbies.com

locdinzone.com

bestinvest-4-you.com

howtofindbantingbalance.com

kairoslabs.online

hteaz.com

banjjakdesign.com

reworkgear.com

oklahomaexcavation.com

tenloe051.xyz

blockchainpress.info

panchotrucking.com

Targets

    • Target

      ArD5nO3F91myqTV.exe

    • Size

      565KB

    • MD5

      6dfcb41ce4cc51a4c8ea418960b45c0b

    • SHA1

      898c4721b6e4593cbe0b88dbde8c152bc8a87a55

    • SHA256

      9ab16c3b0caf257f8652d17d642c53cf2e8056f38f32f091fa23d6acfa4d5b8a

    • SHA512

      18b925e7e5a5cc02fe300529414edcd6449747e3c591989db18b9f958c7283b68467fa2eadcf0028babf27ecd7672f5d98cd6db75f2ed54b5970f858d6a147cd

    Score
    10/10
    formbookxloaderk8u7loaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks