Overview

overview

10

Static

static

1

PO1922.exe

windows7_x64

10

PO1922.exe

windows10-2004_x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8f599f0c9aa6c13dbbefded757547a99-sample.zip

  • Size

    326KB

  • Sample

    220131-1fcwgacgg3

  • MD5

    f74d373a1ae45e6b8a87c6ef10675223

  • SHA1

    30c7e8a73bbc4a7897e203b5798b6bec6c642a7b

  • SHA256

    2431bcfeeed375246aa9b2e9a42868f57ccb0517bea50b9c9ddcc4ff8e3c75a1

  • SHA512

    2ffcf377ba7b7bd3eed46867578cca2397111beb8adda2c893e567922794806d32ede14cb86f0e3b9110b040acf07dd0567f924478074a77d0bb43cd708d93f9

Score
10/10
formbookxloaderssacloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ssac

Decoy

beautybybrin.com

oregemo.com

prospectoriq.com

blazermid.com

cloudnineloans.com

myyntisofta.com

filoupoils.com

web-solutiontnpasumo3.xyz

becbares.com

lines-hikkoshi.com

ohayouwww.com

writingdadsobituarywithdad.com

bridalbaes.com

jamshir.com

rangertots.com

dankbrobeans.com

titan111.com

uplearns.info

maxicashprokil.xyz

evc24.com

Targets

    • Target

      PO1922.exe

    • Size

      436KB

    • MD5

      4206075224453d62fdff5aa5c32e392b

    • SHA1

      5d862e2e94f2d83d1594d21fd4f73d96a192a2f0

    • SHA256

      c804865a31c4ece9c6dbf12a13593c3402f04618477746eff72709c5dc5d3ebf

    • SHA512

      7c048a79159f82fe3295a92f471dd8c8f01f8ea099bf1c8f53d0335f150579fb102baeb0df9c4c96a15af57f40cc11406a47d14de3975e3a1be605c572889062

    Score
    10/10
    formbookxloaderssacloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks