Overview

overview

10

Static

static

Request fo...on.exe

windows7_x64

10

Request fo...on.exe

windows10_x64

10

Resubmissions

26-01-2022 03:10

220126-dn17psecaq 10

10-01-2022 06:48

220110-hkstdadhg2 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Request for Quotation.exe

  • Size

    556KB

  • Sample

    220126-dn17psecaq

  • MD5

    cfe607172762768ef0d28bd9d46459bd

  • SHA1

    09c2fcae04979ac5eaa9a30efef0e59aa5bf034d

  • SHA256

    08d17b9c0d3ab4eb79a38b0a500655f9f47bc3468718ae5b61d59d0b2b687e53

  • SHA512

    f3931157cffc40e4aa783261cbbf59fe1698c637c2460dd98828eb0902e66dd006d3aa0e15a9cf17dd1a0396598842c970080ebf7b809813312fc0acdc229714

Score
10/10
formbookxloaderb80iloaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b80i

Decoy

yixuan5.com

jiazheng369.com

danielleefelipe.net

micorgas.com

uvywah.com

nbjcgl.com

streets4suites.com

hempgotas.com

postmoon.xyz

gaboshoes.com

pastodwes.com

libes.asia

damusalama.com

youngliving1.com

mollyagee.com

branchwallet.com

seebuehnegoerlitz.com

inventors.community

teentykarm.quest

927291.com

Targets

    • Target

      Request for Quotation.exe

    • Size

      556KB

    • MD5

      cfe607172762768ef0d28bd9d46459bd

    • SHA1

      09c2fcae04979ac5eaa9a30efef0e59aa5bf034d

    • SHA256

      08d17b9c0d3ab4eb79a38b0a500655f9f47bc3468718ae5b61d59d0b2b687e53

    • SHA512

      f3931157cffc40e4aa783261cbbf59fe1698c637c2460dd98828eb0902e66dd006d3aa0e15a9cf17dd1a0396598842c970080ebf7b809813312fc0acdc229714

    Score
    10/10
    formbookxloaderb80iloaderpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks