General

  • Target

    RFQuote.PDF.exe

  • Size

    767KB

  • Sample

    220616-jfs41shbfk

  • MD5

    c391e7482ede48d44965004653d83212

  • SHA1

    c7142f7f7c882b0822a5ad89de5d4d9bd971f100

  • SHA256

    43963e1c6c61b149cecadcf3d653c197836f104e2396a174ff0cfae18f041ace

  • SHA512

    4803bf638f4fb399fcb27be17550aad6aed8427c949d53017d73dc0ede0be3efc29aa01a5b138c16543fdcf6b592b248199da812c2e557950611b79408733342

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

heqa

Decoy

ygonetwork.com

galegrant.site

giaxemercedesbenz.com

airambulancedhaka.com

wombo.online

grandthumproject.com

wearegirls.net

zcywe.top

ioss.store

yms97b.xyz

yobe.online

estudioslacostadelsol.com

www17666.com

imw23ctjgna.xyz

opentextscientificresjrnl.biz

918oom.com

justapassenger25.com

soulpieces.net

cmtmetalfinishes.com

wishwishtrue.com

Targets

    • Target

      RFQuote.PDF.exe

    • Size

      767KB

    • MD5

      c391e7482ede48d44965004653d83212

    • SHA1

      c7142f7f7c882b0822a5ad89de5d4d9bd971f100

    • SHA256

      43963e1c6c61b149cecadcf3d653c197836f104e2396a174ff0cfae18f041ace

    • SHA512

      4803bf638f4fb399fcb27be17550aad6aed8427c949d53017d73dc0ede0be3efc29aa01a5b138c16543fdcf6b592b248199da812c2e557950611b79408733342

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Xloader Payload

    • Adds policy Run key to start application

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks