General

  • Target

    shipping documents.exe

  • Size

    545KB

  • Sample

    220621-dhcl6acaf8

  • MD5

    9c51dcdcbb9a4cab887c3036bf8acea5

  • SHA1

    7f0a99049ce06b600a89516d77adf3649593be21

  • SHA256

    a12973c256e6565a0635fb0febaed5ed56f613d23b864df409f32f832a3af19f

  • SHA512

    3022ec309b092bb79990ffead9240b27b1973b27c73b6f31a74cabcf854be72b4d67c504ed4c9f4218e4dae37b1825a29185ff55a566d582b1d3a316d3332f58

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

gfv7

Decoy

hd4AZDZ3XeSkZ9w0NRn2+JU=

6iAxmGKdumxFEgwp

jM6QcxNUSeCKaUdvvh3g9mffhosQ

d4CC0LS0DjTJS8FdXqd3soM=

S1LPlXEIJY52Og==

doeO7AimsF0NEvFgnIV5

W2TlzH/byHtUU3B7tw==

Y2RAbyZjex2qj6GQv4Q=

ftoOsCpZdfmALQ==

4kqL8v/6rDj8Ohs/wAjkb0gD5Gfiww==

8mVs/AkvwLnIWp4=

yfqAazgHioT8b9yHSKpLDtgY

EyWD5F+Wu3L0xq/VJXgdlnFvBDdUz5WM

jn9ty+pdRNdtcDhJ5k8nwZofm4EJ

s9XVNv4/aRDBUx4w

+vHFE7Fw1rnIWp4=

wC395Yvi6G/3yoWRGW1USxzshi3Dyw==

jcbufIN91gHAUK1RYUMYIdyqpDlUz5WM

iIyoIvZNXwPNmBlBxGk6+A==

C/hTD8h/KWLiMW4Mt/joXyz23Q==

Targets

    • Target

      shipping documents.exe

    • Size

      545KB

    • MD5

      9c51dcdcbb9a4cab887c3036bf8acea5

    • SHA1

      7f0a99049ce06b600a89516d77adf3649593be21

    • SHA256

      a12973c256e6565a0635fb0febaed5ed56f613d23b864df409f32f832a3af19f

    • SHA512

      3022ec309b092bb79990ffead9240b27b1973b27c73b6f31a74cabcf854be72b4d67c504ed4c9f4218e4dae37b1825a29185ff55a566d582b1d3a316d3332f58

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Xloader Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks