General

  • Target

    8b74ea45562754413df652ff7754a4c4ac90782f298a1d4066c9801d799a1138

  • Size

    1.2MB

  • Sample

    220205-g14edahafr

  • MD5

    de27b85bfa13e39026b81344b1e4dfb7

  • SHA1

    7cfd963249cef91259f666b461c12fe4e6faab34

  • SHA256

    8b74ea45562754413df652ff7754a4c4ac90782f298a1d4066c9801d799a1138

  • SHA512

    2f79ca82193a52b7c5967738419e2f56d9b036a1a268fadd2f419c0e9e09b223771a8c1b47d601a5d58d7e18e8002a9ea7d772ddd28e36b0ed8751e186a7b729

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Targets

    • Target

      DOC40218.EXE

    • Size

      409KB

    • MD5

      f0d6685e51ab75d3585212478055cb22

    • SHA1

      11cc87018e7dd4620e7b824012f40cac0a1f367d

    • SHA256

      caaa240601d0e42acb112b2c61f1f71cb12348f77259c8c98cece75735dfc1e0

    • SHA512

      3b19cae94fd6baa2c18069b01e3386db1f13ab848fcce0f9673b246b5f5fb5bad414c27b835bf6f478937fc8afa23d77b7beea4f299badb9434f585792b168a5

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Executes dropped EXE

    • Sets service image path in registry

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Collection

Data from Local System

1
T1005

Tasks