Overview

overview

10

Static

static

request fo...63.exe

windows7_x64

10

request fo...63.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6923c6b53ceaec1d925149106d9d29c7d35af3542beca0bcbd9333f4ea28e67b

  • Size

    317KB

  • Sample

    220521-dbyaaaaebp

  • MD5

    949e3fdfe6efdb89fff9d5644f574f93

  • SHA1

    4724e111f096b404014e26f00a3a7a7bc14f9a49

  • SHA256

    6923c6b53ceaec1d925149106d9d29c7d35af3542beca0bcbd9333f4ea28e67b

  • SHA512

    31e54ab4f8005cbba5fa92e7a1b0b3f431ef4de227f2ead0836737cf592714dea53581268d8b1e12b2880dca7529ee4397f8b1b94581e44bd9d3a16bd1618f31

Score
10/10
xloaderiwnnloaderratspywarestealersuricata

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

iwnn

Decoy

laerteskft.com

growingstrongbook.com

bridgecounsel.com

takeabreakfromwork.com

www2998s.com

rvaimportados.com

zelfstandigondernemen.online

connectinglifes.com

ecopt.win

bwwvuih.com

designingbeyondmyeloma.com

apprentisageaplus.com

walkintubstoday.sale

littlemexicoimports.com

getaltai.com

sbd55999.com

nu000.com

theconsciouscookingcompany.com

jelancer.com

osusume-toushiseminar.com

Targets

    • Target

      request for quotation samples No 48576935 96877463.exe

    • Size

      419KB

    • MD5

      6ceb03b6435eefad76639a03a22ce0fb

    • SHA1

      f1a37e2f2cc7de7eed2403af42a446050a6610fd

    • SHA256

      b32579e01c28fc0a157f14ce8c679d02fcd1f5c03f8eef56ba6a77a627786d84

    • SHA512

      1987f6e1573ace6e6fa2b4c4409e7af1d7db12ab40593c8898a12c135aa0168c7772ae1727072e867311f4bd068a40b49c996102a05f80d5618de0f76d8b330b

    Score
    10/10
    xloaderiwnnloaderratspywarestealersuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Xloader Payload

      rat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks