General

  • Target

    shipping docs.exe

  • Size

    492KB

  • Sample

    220608-nwp5hsgdbj

  • MD5

    7da04dc46171bc1ec53f1c141ed80e44

  • SHA1

    2c4044f32cfcabb32d1ab4df0467d0ccd3452105

  • SHA256

    4330d9c1362dfccf1ad5d79cc9329abe6f4a7685a2169b7e42de68a1b1e50b3a

  • SHA512

    365b4262427a335fa5b6a2bbc8909365bead264fcc98160c5c8d9828e141a67d4b1ac97b5cc9e5bd054659a66fa63fc54ea523538286ecc665cf39d68af4378e

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

a8hq

Decoy

veteransductcleaning.com

beajtjunkies.com

houseofascofi.com

scottsdalemediator.com

atelyadesign.com

profitcase.pro

imtokenio.club

qinglingpai.com

bigsmile-meal.net

daytonlivestream.com

aspiradores10.online

ytybs120.com

hdatelier.com

bearpierce.com

yeson28ca.com

booklearner.com

m8j9.club

mmophamthinhlegend.space

hq4a7o6zb.com

sophiadaki.online

Targets

    • Target

      shipping docs.exe

    • Size

      492KB

    • MD5

      7da04dc46171bc1ec53f1c141ed80e44

    • SHA1

      2c4044f32cfcabb32d1ab4df0467d0ccd3452105

    • SHA256

      4330d9c1362dfccf1ad5d79cc9329abe6f4a7685a2169b7e42de68a1b1e50b3a

    • SHA512

      365b4262427a335fa5b6a2bbc8909365bead264fcc98160c5c8d9828e141a67d4b1ac97b5cc9e5bd054659a66fa63fc54ea523538286ecc665cf39d68af4378e

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks