Resubmissions

14-03-2022 13:53

220314-q7ffkagbb2 10

14-03-2022 13:10

220314-qev1jshfal 10

14-03-2022 13:10

220314-qejmhsffd9 1

14-03-2022 13:09

220314-qeba5sffd4 1

14-03-2022 13:09

220314-qdstsshegp 1

25-02-2022 17:41

220225-v9edhaabek 10

25-02-2022 17:33

220225-v49x8aabcr 10

25-02-2022 17:26

220225-vz7masggh9 10

25-02-2022 17:01

220225-vjlpwsggd5 10

General

  • Target

    INV21029.EXE

  • Size

    577KB

  • Sample

    220225-vz7masggh9

  • MD5

    740dd9c14dea0b98df6ad434abfe789e

  • SHA1

    cbec4d898e68c12fb7dcaddb17d0aca16e8e0e7b

  • SHA256

    35295675b2fbd8ff9900336325e3324270f083705fd0cf51f4ef28763430cdd6

  • SHA512

    66041e42091e83889a6da93c4242a01a0a3122774dc2db8baf909fb0ec6b0d6e847183ac92a24f2ca99f99de7dd4abddddda4a908887f354e3a333202bc0a66e

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Targets

    • Target

      INV21029.EXE

    • Size

      577KB

    • MD5

      740dd9c14dea0b98df6ad434abfe789e

    • SHA1

      cbec4d898e68c12fb7dcaddb17d0aca16e8e0e7b

    • SHA256

      35295675b2fbd8ff9900336325e3324270f083705fd0cf51f4ef28763430cdd6

    • SHA512

      66041e42091e83889a6da93c4242a01a0a3122774dc2db8baf909fb0ec6b0d6e847183ac92a24f2ca99f99de7dd4abddddda4a908887f354e3a333202bc0a66e

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Modifies visibility of file extensions in Explorer

    • Registers COM server for autorun

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Sets service image path in registry

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Hidden Files and Directories

1
T1158

Registry Run Keys / Startup Folder

4
T1060

Defense Evasion

Hidden Files and Directories

1
T1158

Modify Registry

8
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

1
T1005

Impact

Defacement

1
T1491

Tasks