General
Target

request for quotation samples No 48576935 96877463.exe

Filesize

419KB

Completed

21-05-2022 04:19

Task

behavioral1

Score
10/10
MD5

6ceb03b6435eefad76639a03a22ce0fb

SHA1

f1a37e2f2cc7de7eed2403af42a446050a6610fd

SHA256

b32579e01c28fc0a157f14ce8c679d02fcd1f5c03f8eef56ba6a77a627786d84

SHA256

1987f6e1573ace6e6fa2b4c4409e7af1d7db12ab40593c8898a12c135aa0168c7772ae1727072e867311f4bd068a40b49c996102a05f80d5618de0f76d8b330b

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

iwnn

Decoy

laerteskft.com

growingstrongbook.com

bridgecounsel.com

takeabreakfromwork.com

www2998s.com

rvaimportados.com

zelfstandigondernemen.online

connectinglifes.com

ecopt.win

bwwvuih.com

designingbeyondmyeloma.com

apprentisageaplus.com

walkintubstoday.sale

littlemexicoimports.com

getaltai.com

sbd55999.com

nu000.com

theconsciouscookingcompany.com

jelancer.com

osusume-toushiseminar.com

grandis16v.info

venturacaraccidentattorney.com

shadesofunity.com

shinephotographydesign.com

sportweights.net

duki.ltd

dutchlion.solutions

blockshow.info

property-shark.com

yourgolfersagent.com

heatingtoken.com

mrhira.com

ncmkwd.info

immobilier-1800.com

aloyadakmashin.com

xn--polticadelopersonal-n1b.com

nbgadgets.com

brightwaycapecoral.com

metrocommunitynews.com

thegirlwithmightyinks.com

7380pe.com

ondemandleadsagency.com

kysaves529.com

microgreensprout.com

progressivecarlogin.com

freemifr.com

danielzig.com

greathomes8.com

lzsmsm.com

denverpropertybrothers.com

Signatures 12

Filter: none

Collection
Credential Access
Defense Evasion
  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/2020-63-0x000000000041CB00-mapping.dmpxloader
    behavioral1/memory/2020-62-0x0000000000400000-0x0000000000428000-memory.dmpxloader
    behavioral1/memory/2020-65-0x0000000000400000-0x0000000000428000-memory.dmpxloader
    behavioral1/memory/1392-71-0x0000000000070000-0x0000000000098000-memory.dmpxloader
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Suspicious use of SetThreadContext
    request for quotation samples No 48576935 96877463.exerequest for quotation samples No 48576935 96877463.exewscript.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1776 set thread context of 20201776request for quotation samples No 48576935 96877463.exerequest for quotation samples No 48576935 96877463.exe
    PID 2020 set thread context of 12202020request for quotation samples No 48576935 96877463.exeExplorer.EXE
    PID 1392 set thread context of 12201392wscript.exeExplorer.EXE
  • Modifies Internet Explorer settings
    wscript.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2wscript.exe
  • Suspicious behavior: EnumeratesProcesses
    request for quotation samples No 48576935 96877463.exerequest for quotation samples No 48576935 96877463.exewscript.exe

    Reported IOCs

    pidprocess
    1776request for quotation samples No 48576935 96877463.exe
    2020request for quotation samples No 48576935 96877463.exe
    2020request for quotation samples No 48576935 96877463.exe
    1392wscript.exe
    1392wscript.exe
    1392wscript.exe
    1392wscript.exe
    1392wscript.exe
    1392wscript.exe
    1392wscript.exe
    1392wscript.exe
    1392wscript.exe
    1392wscript.exe
    1392wscript.exe
    1392wscript.exe
    1392wscript.exe
    1392wscript.exe
  • Suspicious behavior: MapViewOfSection
    request for quotation samples No 48576935 96877463.exewscript.exe

    Reported IOCs

    pidprocess
    2020request for quotation samples No 48576935 96877463.exe
    2020request for quotation samples No 48576935 96877463.exe
    2020request for quotation samples No 48576935 96877463.exe
    1392wscript.exe
    1392wscript.exe
    1392wscript.exe
    1392wscript.exe
  • Suspicious use of AdjustPrivilegeToken
    request for quotation samples No 48576935 96877463.exerequest for quotation samples No 48576935 96877463.exewscript.exeExplorer.EXE

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1776request for quotation samples No 48576935 96877463.exe
    Token: SeDebugPrivilege2020request for quotation samples No 48576935 96877463.exe
    Token: SeDebugPrivilege1392wscript.exe
    Token: SeShutdownPrivilege1220Explorer.EXE
  • Suspicious use of FindShellTrayWindow
    Explorer.EXE

    Reported IOCs

    pidprocess
    1220Explorer.EXE
    1220Explorer.EXE
  • Suspicious use of SendNotifyMessage
    Explorer.EXE

    Reported IOCs

    pidprocess
    1220Explorer.EXE
    1220Explorer.EXE
  • Suspicious use of WriteProcessMemory
    request for quotation samples No 48576935 96877463.exeExplorer.EXEwscript.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1776 wrote to memory of 20041776request for quotation samples No 48576935 96877463.exerequest for quotation samples No 48576935 96877463.exe
    PID 1776 wrote to memory of 20041776request for quotation samples No 48576935 96877463.exerequest for quotation samples No 48576935 96877463.exe
    PID 1776 wrote to memory of 20041776request for quotation samples No 48576935 96877463.exerequest for quotation samples No 48576935 96877463.exe
    PID 1776 wrote to memory of 20041776request for quotation samples No 48576935 96877463.exerequest for quotation samples No 48576935 96877463.exe
    PID 1776 wrote to memory of 20201776request for quotation samples No 48576935 96877463.exerequest for quotation samples No 48576935 96877463.exe
    PID 1776 wrote to memory of 20201776request for quotation samples No 48576935 96877463.exerequest for quotation samples No 48576935 96877463.exe
    PID 1776 wrote to memory of 20201776request for quotation samples No 48576935 96877463.exerequest for quotation samples No 48576935 96877463.exe
    PID 1776 wrote to memory of 20201776request for quotation samples No 48576935 96877463.exerequest for quotation samples No 48576935 96877463.exe
    PID 1776 wrote to memory of 20201776request for quotation samples No 48576935 96877463.exerequest for quotation samples No 48576935 96877463.exe
    PID 1776 wrote to memory of 20201776request for quotation samples No 48576935 96877463.exerequest for quotation samples No 48576935 96877463.exe
    PID 1776 wrote to memory of 20201776request for quotation samples No 48576935 96877463.exerequest for quotation samples No 48576935 96877463.exe
    PID 1220 wrote to memory of 13921220Explorer.EXEwscript.exe
    PID 1220 wrote to memory of 13921220Explorer.EXEwscript.exe
    PID 1220 wrote to memory of 13921220Explorer.EXEwscript.exe
    PID 1220 wrote to memory of 13921220Explorer.EXEwscript.exe
    PID 1392 wrote to memory of 3681392wscript.exeFirefox.exe
    PID 1392 wrote to memory of 3681392wscript.exeFirefox.exe
    PID 1392 wrote to memory of 3681392wscript.exeFirefox.exe
    PID 1392 wrote to memory of 3681392wscript.exeFirefox.exe
    PID 1392 wrote to memory of 3681392wscript.exeFirefox.exe
Processes 6
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Users\Admin\AppData\Local\Temp\request for quotation samples No 48576935 96877463.exe
      "C:\Users\Admin\AppData\Local\Temp\request for quotation samples No 48576935 96877463.exe"
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Users\Admin\AppData\Local\Temp\request for quotation samples No 48576935 96877463.exe
        "C:\Users\Admin\AppData\Local\Temp\request for quotation samples No 48576935 96877463.exe"
        PID:2004
      • C:\Users\Admin\AppData\Local\Temp\request for quotation samples No 48576935 96877463.exe
        "C:\Users\Admin\AppData\Local\Temp\request for quotation samples No 48576935 96877463.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:2020
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      Suspicious use of SetThreadContext
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        PID:368
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • memory/1220-68-0x00000000060B0000-0x0000000006196000-memory.dmp

                    • memory/1220-74-0x00000000061A0000-0x00000000062C1000-memory.dmp

                    • memory/1392-71-0x0000000000070000-0x0000000000098000-memory.dmp

                    • memory/1392-70-0x0000000000C20000-0x0000000000C46000-memory.dmp

                    • memory/1392-69-0x0000000000000000-mapping.dmp

                    • memory/1392-73-0x0000000000370000-0x00000000003FF000-memory.dmp

                    • memory/1392-72-0x00000000021E0000-0x00000000024E3000-memory.dmp

                    • memory/1776-55-0x00000000761F1000-0x00000000761F3000-memory.dmp

                    • memory/1776-56-0x00000000003F0000-0x0000000000402000-memory.dmp

                    • memory/1776-57-0x0000000005490000-0x00000000054D8000-memory.dmp

                    • memory/1776-58-0x00000000054D0000-0x00000000054FE000-memory.dmp

                    • memory/1776-54-0x0000000001010000-0x0000000001080000-memory.dmp

                    • memory/2020-67-0x0000000000130000-0x0000000000140000-memory.dmp

                    • memory/2020-66-0x0000000000910000-0x0000000000C13000-memory.dmp

                    • memory/2020-62-0x0000000000400000-0x0000000000428000-memory.dmp

                    • memory/2020-63-0x000000000041CB00-mapping.dmp

                    • memory/2020-60-0x0000000000400000-0x0000000000428000-memory.dmp

                    • memory/2020-59-0x0000000000400000-0x0000000000428000-memory.dmp

                    • memory/2020-65-0x0000000000400000-0x0000000000428000-memory.dmp