New purchase Order.exe

General
Target

New purchase Order.exe

Size

889KB

Sample

220521-jjzqzaagh5

Score
10 /10
MD5

69f2093d0e8722210b96012212776ece

SHA1

910fc996781777fe1fce27b115914e6f82097391

SHA256

65d63079af57f5ae33cb341bc94f3882d2516efc82a0373775c564759aeb862e

SHA512

a05aa45f224b03a849bc488677fd79b8b251880c154bb9c0f9ab58de5deccf785b121f8f35ddd175329de09ac1d1e4add884203c71e6c4f62b470a075f578d47

Malware Config

Extracted

Family xloader
Version 2.6
Campaign a8hq
Decoy

veteransductcleaning.com

beajtjunkies.com

houseofascofi.com

scottsdalemediator.com

atelyadesign.com

profitcase.pro

imtokenio.club

qinglingpai.com

bigsmile-meal.net

daytonlivestream.com

aspiradores10.online

ytybs120.com

hdatelier.com

bearpierce.com

yeson28ca.com

booklearner.com

m8j9.club

mmophamthinhlegend.space

hq4a7o6zb.com

sophiadaki.online

sunraiz.site

calorieup.com

vighneshequipments.com

695522z.xyz

xjfhkjy.com

jcpractice.xyz

micahriffle.com

babiezarena.com

heythatstony.com

bmtjt.com

aete.info

yeyeps.com

chafaouihicham.com

globalider.com

uwksu.com

jimmy.technology

theveatchplantation.com

devondarcy.com

suburbpaw.online

ballsfashion.com

devsecops-maturity-analysis.net

naturealizarte.com

jpvuy.icu

algoworksconsulting.com

51jzsy.com

the-arboretum.net

sportsmachine.xyz

kemanewright.com

transporteslatinoberlin.com

multirollup.xyz

Targets
Target

New purchase Order.exe

MD5

69f2093d0e8722210b96012212776ece

Filesize

889KB

Score
10/10
SHA1

910fc996781777fe1fce27b115914e6f82097391

SHA256

65d63079af57f5ae33cb341bc94f3882d2516efc82a0373775c564759aeb862e

SHA512

a05aa45f224b03a849bc488677fd79b8b251880c154bb9c0f9ab58de5deccf785b121f8f35ddd175329de09ac1d1e4add884203c71e6c4f62b470a075f578d47

Tags

Signatures

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Xloader Payload

    Tags

  • Blocklisted process makes network request

  • Deletes itself

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation