General

  • Target

    0x000900000001316f-58.dat

  • Size

    174KB

  • Sample

    220616-hhxpjsabd2

  • MD5

    4e4fe9a1e4568efac0293fcaf431f2da

  • SHA1

    c17588029ab95904ab548b5c8fb4dc626e1d8d12

  • SHA256

    929b0c7d953ee579a49a6d4a9456a1a45a9f4e81933adf6a07b34d6669f096b6

  • SHA512

    7a323280ef25c208fbe726e5ba21200ec9af976f30da3ea330387afe95c41ad082404d4cd811672f0b7e9764759c8cc7b1b2252da242ff8253e429bb2cc7a461

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

r4wf

Decoy

eQLhwti8E4CX1m8bp0WK2Q==

axoAyf6nwR9Y43o1nFx+930=

vf9fMlHrgdcI

TRQU8PPgFWegAcLFsjQ5TUX2

CFXUiz7SjsLqcQ==

XKeIL6Nmg+8pokY+wjaooasXRQIt

NLSkgIdanO/4SNPAdlKUrIms7Q==

TTKhgqyuCnCmH7yGa12g8HXrnY/nKGI=

5X0d70pNfaYGRgI=

fXXOk9C1+U9bhkIBIqn8

dN7HmMiv/TtAgyP2tYrEG2Yq4Yw=

HRqUgbJeorn4Zg==

MZ7Sh6xm71vhCNLW

7iFsO188fKYGRgI=

o9VC9kgPVXmCz2gBIqn8

B0y+iMbD+lzhCNLW

ciUeBS0WbdHuVGH+xJU=

Q3334PeyxydNmzoBIqn8

kgHx3RbrgdcI

WQjgo8h9g6YGRgI=

Targets

    • Target

      0x000900000001316f-58.dat

    • Size

      174KB

    • MD5

      4e4fe9a1e4568efac0293fcaf431f2da

    • SHA1

      c17588029ab95904ab548b5c8fb4dc626e1d8d12

    • SHA256

      929b0c7d953ee579a49a6d4a9456a1a45a9f4e81933adf6a07b34d6669f096b6

    • SHA512

      7a323280ef25c208fbe726e5ba21200ec9af976f30da3ea330387afe95c41ad082404d4cd811672f0b7e9764759c8cc7b1b2252da242ff8253e429bb2cc7a461

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Xloader Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks