Overview

overview

10

Static

static

? PO-PO22E...df.exe

windows7_x64

10

? PO-PO22E...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d3ff23f626d8932d9ef5fca0b3dec964

  • Size

    316KB

  • Sample

    220613-kk6fksbaf5

  • MD5

    d3ff23f626d8932d9ef5fca0b3dec964

  • SHA1

    f38494d9598f5a3fdee6a97bc98fa8e1232d4341

  • SHA256

    d1be3f34e21284e498b6e4e096c11c8073f6584899d59e8dadb9d1487384986b

  • SHA512

    f67f61a35b5dccfa9578fb40c05bf170e2ce96fa6f0ccf6ac244f9c1683235db59e5eebdfc8097368b4b0086aac4f81aa462f36a96e0b0a0b73b5de90f000bf3

Score
10/10
xloadervweqloaderratspywarestealersuricata

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

vweq

Decoy

malang-media.com

mrsfence.com

lubetops.com

aitimedia.net

montecryptocapital.com

ahwmedia.com

bvmnc.site

bggearstore.com

bcsantacoloma.online

alltimephotography.com

santacruz-roofings.com

leaplifestyleenterprises.com

censovet.com

similkameenfarms.com

undisclosed.email

thetrinityco.com

rapiturs.com

jedlersdorf.info

mh7jk12e.xyz

flygurlblogwordpress.com

Targets

    • Target

      ? PO-PO22E000300.pdf.exe

    • Size

      245KB

    • MD5

      1b5bf9898a36e524ea8e4c64dc7ef12b

    • SHA1

      5f630502bf2e24bc5a0472b42360025883a3feb6

    • SHA256

      aaf551f6f56bb5f439c571549d44656abaeb09a2603a22f8f5f9bdad3f0049cd

    • SHA512

      daa9784eb90940aeafd6654f27628967d867db0f3a9c9ceac900acc13d951a06fa7fe4984277020f55eabe095077dd13154a0e0ddba5b323d11bd2a5ed60213a

    Score
    10/10
    xloadervweqloaderratsuricataspywarestealer

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Xloader Payload

      rat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks