General

  • Target

    7.exe

  • Size

    732KB

  • Sample

    220616-qahveshga4

  • MD5

    6597a0fbd9b2ee3bcf4a801fe4b69ae0

  • SHA1

    6f5bd5f70bc21389c4d9ba4870bb8d4f97983a06

  • SHA256

    57023cbc586b92ef899c3299c174c2689ba5b5e6e970976adde29d9977be9ddb

  • SHA512

    377ed8daa7d35792babd744f3065db6cc92f6f4c352fab595b9f01598b43796183d635234cc49dcac88188a1816fdede39bb8c06efd515e1158170f5947ec3b4

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Targets

    • Target

      7.exe

    • Size

      732KB

    • MD5

      6597a0fbd9b2ee3bcf4a801fe4b69ae0

    • SHA1

      6f5bd5f70bc21389c4d9ba4870bb8d4f97983a06

    • SHA256

      57023cbc586b92ef899c3299c174c2689ba5b5e6e970976adde29d9977be9ddb

    • SHA512

      377ed8daa7d35792babd744f3065db6cc92f6f4c352fab595b9f01598b43796183d635234cc49dcac88188a1816fdede39bb8c06efd515e1158170f5947ec3b4

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • ModiLoader Second Stage

    • Xloader Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks