General

  • Target

    SOA_OCT 2021.exe

  • Size

    269KB

  • Sample

    211110-fqw2wagda8

  • MD5

    75f24a7fd78d30dc1287852829e55fe1

  • SHA1

    b5a09b34b18f14d44c311f84a5e705bdc6684e0c

  • SHA256

    fcf7e7eea1f4983f876bb52b0e40e09fedf69a92dcec11be50ff87e169824601

  • SHA512

    58e19c58f39ca00ff9d5be73271471eff557b7d5041d6f3d99dbb0f6417212e351f45199548e7884c5f54e52c56d8dab4d52c0f500627ca7c4647407f9c91b6d

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

e8ia

C2

http://www.helpfromjames.com/e8ia/

Decoy

le-hameau-enchanteur.com

quantumsystem-au.club

engravedeeply.com

yesrecompensas.lat

cavallitowerofficials.com

800seaspray.com

skifun-jetski.com

thouartafoot.com

nft2dollar.com

petrestore.online

cjcutthecord2.com

tippimccullough.com

gadget198.xyz

djmiriam.com

bitbasepay.com

cukierniawz.com

mcclureic.xyz

inthekitchenshakinandbakin.com

busy-clicks.com

melaniemorris.online

Targets

    • Target

      SOA_OCT 2021.exe

    • Size

      269KB

    • MD5

      75f24a7fd78d30dc1287852829e55fe1

    • SHA1

      b5a09b34b18f14d44c311f84a5e705bdc6684e0c

    • SHA256

      fcf7e7eea1f4983f876bb52b0e40e09fedf69a92dcec11be50ff87e169824601

    • SHA512

      58e19c58f39ca00ff9d5be73271471eff557b7d5041d6f3d99dbb0f6417212e351f45199548e7884c5f54e52c56d8dab4d52c0f500627ca7c4647407f9c91b6d

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Collection

Data from Local System

1
T1005

Tasks