General

  • Target

    btweb_installer.exe.vir

  • Size

    513KB

  • Sample

    220620-vryz7aabc3

  • MD5

    36ea1b51442def28b8c127f7d9e386a5

  • SHA1

    00fac6353533794c5f4ef8ea08082974241f4841

  • SHA256

    8ecf3a66141bdd66b2ba8201bb1fedbbbde5c4e5710b99ba2e1d523ad49011a1

  • SHA512

    e8222956b4a5ea2964e9aeec6107738c213145e24593f1efc2c97aff9fb19f16f863ff202c25251e4fe7c527684bc03de19634deee42a02202238de1fcd8d15c

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

b6qc

Decoy

etofood.com

bigtimberroofingnc.com

jacque.doctor

9588uy.site

nosceremonies-lefilm.com

xposetattoosjaipur.com

universalwebbinq.com

klthealthfrancesarl.com

tinyhome.deals

neroivr.com

floridaappeals.net

vladartsmith.com

chatbothealthcare.com

akutansi.online

appointmentcart.com

vertue.xyz

healthplanslakeland.com

es-verification.biz

thatsod.com

521ini.xyz

Targets

    • Target

      btweb_installer.exe.vir

    • Size

      513KB

    • MD5

      36ea1b51442def28b8c127f7d9e386a5

    • SHA1

      00fac6353533794c5f4ef8ea08082974241f4841

    • SHA256

      8ecf3a66141bdd66b2ba8201bb1fedbbbde5c4e5710b99ba2e1d523ad49011a1

    • SHA512

      e8222956b4a5ea2964e9aeec6107738c213145e24593f1efc2c97aff9fb19f16f863ff202c25251e4fe7c527684bc03de19634deee42a02202238de1fcd8d15c

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks