Overview

overview

10

Static

static

1

ORDER_71.exe

windows7_x64

10

ORDER_71.exe

windows10-2004_x64

10

Resubmissions

09-02-2022 08:59

220209-kxyaqshhgp 10

09-02-2022 00:39

220209-azs4paghcn 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Order-71130319-pdf.img

  • Size

    1.2MB

  • Sample

    220209-kxyaqshhgp

  • MD5

    5cf5b72a5be2ece2f08e71896e8494bb

  • SHA1

    8b8fbf43e29d6cbbdaaf1bb4f02d7edba28f1908

  • SHA256

    f6322fb68a262178737fa6c63ba5c075c3d78ae0dd5b278326ffcb6f7f3efe59

  • SHA512

    37b2a8943449355b86e9f0af1ca00a699cae4db945486f6d91d8cfdd2b17b1bab876bec76f539b70f4a459302c60c3ff171bd33f335a6d7ef96f8d51f0bf69ed

Score
10/10
formbookxloaderuar3loaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uar3

Decoy

sgadvocats.com

mjscannabus.com

hilldaley.com

ksdollhouse.com

hotgiftboutique.com

purebloodsmeet.com

relaunched.info

cap-glove.com

productcollection.store

fulikyy.xyz

remoteaviationjobs.com

bestcleancrystal.com

virtualorganizationpartner.com

bookgocar.com

hattuafhv.quest

makonigroup.com

officecom-myaccount.com

malgorzata-lac.com

e-learningeducators.com

hygilaur.com

Targets

    • Target

      ORDER_71.PIF

    • Size

      262KB

    • MD5

      78c4e0ee7d553496e9123839c8fa144c

    • SHA1

      ff5f5c69e406500adff16452c71bf4e0c1322455

    • SHA256

      3c281d772b25ef5bed141574c037855aee8321aec2f3dd272c3526af659795dc

    • SHA512

      832989a7bcbe37d6664934e1d57e95ed55cc8eb635e962bae8070e4bc68f6a4707789105069c2bf8277d1154a0034b7fcf7807c38e66820810e63e5475a948ae

    Score
    10/10
    formbookxloaderuar3loaderpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks