shipment documents for SST2112-250..exe

General
Target

shipment documents for SST2112-250..exe

Size

607KB

Sample

220521-az7xvaeafn

Score
10 /10
MD5

014283a3f74600a5e3184d54d4b9134a

SHA1

f9e163b967fd02e060aaf4020abe6f9e96150526

SHA256

16478611c7b79652c9256355bc0498b0695d26d5a297011a672a5bac9ca40b76

SHA512

01060df227a236cf449c61dcda359ff4b437b89c5491727173afa095bc579a9381106084bbaa463e29e227126bb608563b03c3fe29763e2e1af7135703af5e20

Malware Config

Extracted

Family xloader
Version 2.6
Campaign a8hq
Decoy

veteransductcleaning.com

beajtjunkies.com

houseofascofi.com

scottsdalemediator.com

atelyadesign.com

profitcase.pro

imtokenio.club

qinglingpai.com

bigsmile-meal.net

daytonlivestream.com

aspiradores10.online

ytybs120.com

hdatelier.com

bearpierce.com

yeson28ca.com

booklearner.com

m8j9.club

mmophamthinhlegend.space

hq4a7o6zb.com

sophiadaki.online

sunraiz.site

calorieup.com

vighneshequipments.com

695522z.xyz

xjfhkjy.com

jcpractice.xyz

micahriffle.com

babiezarena.com

heythatstony.com

bmtjt.com

aete.info

yeyeps.com

chafaouihicham.com

globalider.com

uwksu.com

jimmy.technology

theveatchplantation.com

devondarcy.com

suburbpaw.online

ballsfashion.com

devsecops-maturity-analysis.net

naturealizarte.com

jpvuy.icu

algoworksconsulting.com

51jzsy.com

the-arboretum.net

sportsmachine.xyz

kemanewright.com

transporteslatinoberlin.com

multirollup.xyz

Targets
Target

shipment documents for SST2112-250..exe

MD5

014283a3f74600a5e3184d54d4b9134a

Filesize

607KB

Score
10/10
SHA1

f9e163b967fd02e060aaf4020abe6f9e96150526

SHA256

16478611c7b79652c9256355bc0498b0695d26d5a297011a672a5bac9ca40b76

SHA512

01060df227a236cf449c61dcda359ff4b437b89c5491727173afa095bc579a9381106084bbaa463e29e227126bb608563b03c3fe29763e2e1af7135703af5e20

Tags

Signatures

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    Description

    suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    Tags

  • Xloader Payload

    Tags

  • Blocklisted process makes network request

  • Deletes itself

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation