General

  • Target

    7498216151.zip

  • Size

    500KB

  • Sample

    220530-cmc8taacg6

  • MD5

    870490e556f622f10d304ddbfeccd79b

  • SHA1

    6734bd66fb6e6e63025b754d06d36d8916fd03a5

  • SHA256

    1a2b69e124bf6f1e5abe064752e77297722b9893307710e63c442fadc9a5e08f

  • SHA512

    e95ef4ba64b44cd865617f568dcf3a341652ae107125076f3925a93999eaa85a6ba539818a2732cb599b307484b75679a406905782166118b00eb61379de6784

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

a8hq

Decoy

veteransductcleaning.com

beajtjunkies.com

houseofascofi.com

scottsdalemediator.com

atelyadesign.com

profitcase.pro

imtokenio.club

qinglingpai.com

bigsmile-meal.net

daytonlivestream.com

aspiradores10.online

ytybs120.com

hdatelier.com

bearpierce.com

yeson28ca.com

booklearner.com

m8j9.club

mmophamthinhlegend.space

hq4a7o6zb.com

sophiadaki.online

Targets

    • Target

      New purchase Order.exe

    • Size

      889KB

    • MD5

      69f2093d0e8722210b96012212776ece

    • SHA1

      910fc996781777fe1fce27b115914e6f82097391

    • SHA256

      65d63079af57f5ae33cb341bc94f3882d2516efc82a0373775c564759aeb862e

    • SHA512

      a05aa45f224b03a849bc488677fd79b8b251880c154bb9c0f9ab58de5deccf785b121f8f35ddd175329de09ac1d1e4add884203c71e6c4f62b470a075f578d47

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Xloader Payload

    • Adds policy Run key to start application

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks