Overview

overview

10

Static

static

1

HIRE SOA JAN 2022.exe

windows7_x64

10

HIRE SOA JAN 2022.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    HIRE SOA JAN 2022.exe

  • Size

    248KB

  • Sample

    220126-j7arraahal

  • MD5

    f7c0bc31aeb94707cdce8cf6abd4f099

  • SHA1

    82725d581ae393a4fc5961f911e338f7a85e9683

  • SHA256

    2e3edcdf1ab052a2e0fbd8ffdaf213876b3571b23ff74f5e157ce24a1155be81

  • SHA512

    d2b36412ada4f8ddf052e55682b1ce523bc18b0c3203e064f7ec7da58b6433522c392cfd22d9435dc98186d850915938aa508131cb3bbf14c410e5f5c0bf4feb

Score
10/10
formbookxloaderigwaloaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

igwa

Decoy

listingswithalex.com

funtabse.com

aydenwalling.com

prochal.net

superfoodsnederland.com

moldluck.com

dianekgordon.store

regionalhomescommercial.com

mysecuritymadesimple.com

malwaremastery.com

kodaikeiko.com

jrzg996.com

agricurve.net

songlingjiu.com

virginianundahfishingclub.com

friendschance.com

pastelpresents.com

answertitles.com

survival-hunter.com

nxfddl.com

Targets

    • Target

      HIRE SOA JAN 2022.exe

    • Size

      248KB

    • MD5

      f7c0bc31aeb94707cdce8cf6abd4f099

    • SHA1

      82725d581ae393a4fc5961f911e338f7a85e9683

    • SHA256

      2e3edcdf1ab052a2e0fbd8ffdaf213876b3571b23ff74f5e157ce24a1155be81

    • SHA512

      d2b36412ada4f8ddf052e55682b1ce523bc18b0c3203e064f7ec7da58b6433522c392cfd22d9435dc98186d850915938aa508131cb3bbf14c410e5f5c0bf4feb

    Score
    10/10
    formbookxloaderigwaloaderpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks