General

  • Target

    tmp

  • Size

    1.1MB

  • Sample

    220506-rxm84acffq

  • MD5

    f2b83c2075be8c51ada1ac1b2366095e

  • SHA1

    f1dbf47b7e225bd92bd8d1a14ea832117f7c1037

  • SHA256

    dbdd02d3fc196dd03b6f970e8bb08d82896d35b72878c09daa0ab36efcb19cf0

  • SHA512

    7fdaf5cb281658bd7a8e4088ec8609a3bdd0b07bd029cb8390c9ff3823c854d2d51462bfc4bca8cf2af709e1986ee9eaec33c0be4ca68c759e631e31d85470fe

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

arh2

Decoy

hstorc.com

blackountry.com

dhrbakery.com

dezhouofit.com

defipayout.xyz

ginas4t.com

byzbh63.xyz

qrcrashview.com

mialibaby.com

enhaut.net

samainnova.com

yashveerresort.com

delfos.online

dungcumay.com

lj-counseling.net

fliptheswitch.pro

padogbitelawyer.com

aticarev.com

sederino.site

bestplansforpets-japan3.life

Targets

    • Target

      tmp

    • Size

      1.1MB

    • MD5

      f2b83c2075be8c51ada1ac1b2366095e

    • SHA1

      f1dbf47b7e225bd92bd8d1a14ea832117f7c1037

    • SHA256

      dbdd02d3fc196dd03b6f970e8bb08d82896d35b72878c09daa0ab36efcb19cf0

    • SHA512

      7fdaf5cb281658bd7a8e4088ec8609a3bdd0b07bd029cb8390c9ff3823c854d2d51462bfc4bca8cf2af709e1986ee9eaec33c0be4ca68c759e631e31d85470fe

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Looks for VirtualBox Guest Additions in registry

    • Xloader Payload

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

1
T1005

Tasks