General

  • Target

    Catalog.exe

  • Size

    880KB

  • Sample

    220621-nl5r8afeb9

  • MD5

    d880e2de89f81c41584300562970fb92

  • SHA1

    edf38c0c4eaa77d865f25ea92fd9e09168893228

  • SHA256

    085917245898b3d25910807103748a579b389697e79bdceb82b043f66b86a130

  • SHA512

    8a5a7e5625ae41bc438f9fa91cc556bcf4e471ffac99d11a64b7dfc2fbb833789c22007a69282729ac895a5ae3a3c8d9f791fa9a7bf2d88a7c0b7d2285572f80

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

nmd2

Decoy

FNWENUOMqqSv0Q==

ls6DEbQ1KBCeSsvUyRg=

mwgrjwpFplaykGoT

Uzzj8yXi13iLMnNGZcnViQliwA==

T7vzj0l0lqquyA==

csHzBjwvF7rmjcmWxjThd61NuuVl4gQ=

YaXyTwg3p1vrf/n9kYJQjrc=

cHAfFEI1JKDF4mTsGjDbeg==

TdDv+o9VSFep3wgTtY0swqQ=

Jw66vdyXdRZG9jJZycLD

icGvsuKZgXNid1M=

6m6H0GvguY+vZZpcioudbQ==

kNUBYMuymhgm2b0q3bEAiQliwA==

M3SiAXRbVe0XAsxDOIp6cg==

+eWLk+HjRRe3LuyavQ==

753R3QYD8XOWtWI0ouGpYw==

dRg+bQZ6TSbC8Sbs2mXXxLM=

kDlUsE+U7Y/RfUQ=

oENlcFZVqqSv0Q==

HCC+nbachxEs1f29GjDbeg==

Targets

    • Target

      Catalog.exe

    • Size

      880KB

    • MD5

      d880e2de89f81c41584300562970fb92

    • SHA1

      edf38c0c4eaa77d865f25ea92fd9e09168893228

    • SHA256

      085917245898b3d25910807103748a579b389697e79bdceb82b043f66b86a130

    • SHA512

      8a5a7e5625ae41bc438f9fa91cc556bcf4e471ffac99d11a64b7dfc2fbb833789c22007a69282729ac895a5ae3a3c8d9f791fa9a7bf2d88a7c0b7d2285572f80

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Xloader Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks