0be2b3666584ba80d0c8ae2606b95be719dc38fbb04a6059cc34529825996d53

General
Target

0be2b3666584ba80d0c8ae2606b95be719dc38fbb04a6059cc34529825996d53

Size

251KB

Sample

220521-pzct2agcb9

Score
10 /10
MD5

cdcb31f9b23b96c5b90a0d34a73b2781

SHA1

5c949be4f712dd59864872b198bb5ae823c2ca8b

SHA256

0be2b3666584ba80d0c8ae2606b95be719dc38fbb04a6059cc34529825996d53

SHA512

e5f54ed1710b32b9d9b7f0ca4da630df186b4292198114c6cb2ae8c4b2aa214a49b8d92b92cb7876a8b5e673b0d382af645136343756ccd572c7bf320d9c344e

Malware Config

Extracted

Family xloader
Version 2.0
Campaign war0
Decoy

siompany.net

55667879.com

smallmouth.net

fordforlano.net

placadesilicon.com

btw-butler.com

almbeauty.com

jbthomson.com

presidentialtennessee.com

chiropractorinnorthport.com

yourber.com

get-luxurycruise.rocks

strakellc.com

eukncg.info

pablovergara.info

sologoods.com

toledovista.com

weightlosscoffees.com

echoawyer.com

csproductionsmedia.com

dwspd.info

thetruketo.com

babiescamerino.com

buyamzproduct.com

qhccwcyy.com

beyondt2p.biz

hesvjgg.com

4twentyicecream.com

collagenwaveofficial.com

bestsellingnovelty.com

butterflywarriorshop.com

r-city.info

on444.com

univers-travel.com

mandarinasinpepitas.com

hakupu.com

lokmitrabloodbank.com

autotrasporticanale.com

espiarwhatsappenminutos.com

satnanews.com

xhtd645.com

lucidabright.com

qushipower.com

del-cafes.com

kanatrevor.com

lauras-augenblick.com

maydaytravelsandhospitality.com

weatherclan.com

kikmessengerforpcs.com

albergue-pintueles.com
Targets
Target

Scan_order9215060196.exe

MD5

3902d05dd23263e123e94136dbde2f38

Filesize

327KB

Score
10/10
SHA1

a106c76ed170064b60a541a4533b2610e7e652df

SHA256

896745863d78a02b1cf02565dbeb3bca4bfd156a1079d28c07ddfb2d8b9fc665

SHA512

1900a2b722bc099bf4733c412db310916a4258b6482d6676a47332983c299d03a89e04f8614f49be3bd43ee464aef7d3ac66f6c5bf378601b7f77e06c969c881

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    Description

    suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    Tags

  • Xloader Payload

    Tags

  • Adds policy Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

  • Executes dropped EXE

  • Deletes itself

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

  • Suspicious use of SetThreadContext

Related Tasks

behavioral1behavioral2
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                Privilege Escalation