General
Target

RFQ#.exe

Size

296KB

Sample

211028-q4rpesbfh6

Score
10/10
MD5

3838c43e12f0c22ecf9a9a0c1deb1d30

SHA1

7b9d8e4a093672411f71f1cf6a7fe6803c61773c

SHA256

b980dfcce93e9140d8ce71151f2f385026b8cebc195b71055707e1468ad0131b

SHA512

f0f860a56500b449b29558dc6e8860ce4441cee2612cc22c7cb9aaf5106062e290e3b3313dd0eef55fe1678791992f0502dbda9d0350110b7f7591853445935c

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

unzn

C2

http://www.davanamays.com/unzn/

Decoy

xiulf.com

highcountrymortar.com

523561.com

marketingagency.tools

ganmovie.net

nationaalcontactpunt.com

sirrbter.com

begizas.xyz

missimi-fashion.com

munixc.info

daas.support

spaceworbc.com

faithtruthresolve.com

gymkub.com

thegrayverse.xyz

artisanmakefurniture.com

029tryy.com

ijuubx.biz

iphone13promax.club

techuniversus.com

samrgov.xyz

grownupcurl.com

sj0755.net

beekeeperkit.com

richessesabondantes.com

xclgjgjh.net

webworkscork.com

vedepviet365.com

bretabeameven.com

cdzsmhw.com

clearperspective.biz

tigrg5g784sh.biz

bbezan011.xyz

mycar.store

mansooralobeidli.com

ascensionmemberszoom.com

unlimitedrehab.com

wozka.top

askylarkgoods.com

rj793.com

prosvalor.com

primetimeexpress.com

boixosnoisperu.com

mmasportgear.com

concertiranian.net

hyponymys.info

maila.one

yti0fyic.xyz

shashiprayag.com

speedprosmotorsports.com

Targets
Target

RFQ#.exe

MD5

3838c43e12f0c22ecf9a9a0c1deb1d30

Filesize

296KB

Score
10/10
SHA1

7b9d8e4a093672411f71f1cf6a7fe6803c61773c

SHA256

b980dfcce93e9140d8ce71151f2f385026b8cebc195b71055707e1468ad0131b

SHA512

f0f860a56500b449b29558dc6e8860ce4441cee2612cc22c7cb9aaf5106062e290e3b3313dd0eef55fe1678791992f0502dbda9d0350110b7f7591853445935c

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • Xloader Payload

    Tags

  • Executes dropped EXE

  • Deletes itself

  • Loads dropped DLL

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Tasks

                  static1

                  Score
                  1/10

                  behavioral2

                  Score
                  10/10