General

  • Target

    shipping documents.exe

  • Size

    454KB

  • Sample

    220617-f247madag9

  • MD5

    b89f2409aeb72bcc191ef5bf407f57c4

  • SHA1

    f38149fabe2f308cc1807d0a40bebef27ccae19c

  • SHA256

    349adeb05be51a940a1fbf77ffc15f3b38eee08e283197e123d4544ce338bec6

  • SHA512

    04ef8f3df19ff7f1bf31f55f2ed8f9e878f5c566980b3faed488dcad49f813893062de2aae632df31657e39ad56e87371e5c5f22ed5dfccf53d7ee40ceabc197

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

pdrq

Decoy

welchsunstar.com

mppservicesllc.com

wiresofteflon.com

brabov.xyz

compnonoch.site

yourbuilderworks.com

iamsamirahman.com

eriqoes.com

eastudio.design

skyearth-est.com

teethfitness.com

razaancreates.com

shfbfs.com

joyfulbrokekids.com

kjbolden.com

howirep.com

deedeesmainecoons.website

e-powair.com

aheatea.com

shalfey0009.xyz

Targets

    • Target

      shipping documents.exe

    • Size

      454KB

    • MD5

      b89f2409aeb72bcc191ef5bf407f57c4

    • SHA1

      f38149fabe2f308cc1807d0a40bebef27ccae19c

    • SHA256

      349adeb05be51a940a1fbf77ffc15f3b38eee08e283197e123d4544ce338bec6

    • SHA512

      04ef8f3df19ff7f1bf31f55f2ed8f9e878f5c566980b3faed488dcad49f813893062de2aae632df31657e39ad56e87371e5c5f22ed5dfccf53d7ee40ceabc197

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Looks for VirtualBox Guest Additions in registry

    • Xloader Payload

    • Adds policy Run key to start application

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks