General

  • Target

    1

  • Size

    60KB

  • Sample

    220621-pzlf6sdedm

  • MD5

    f86865bc1b7e91e8e07d2a886682a772

  • SHA1

    a496236c6d15ea25bca7afc6b0656fc1d1a78779

  • SHA256

    fb3720f555a4f24cbbb34901d750d439d9b56d7336e6d6a187dde5a723fc50ca

  • SHA512

    dc91a2706c49807575716a797aed3186259b0274b48f08202b9f66892a76d4cd4016419b454df4c3b768ae68e343524758d63e0e0af33f89d4f86f8e2dabd8db

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

uem3

Decoy

AKGB4wSx6J+2x1WgKQ==

54dc0yNdRnO/FCSAQeL+Tp0=

ZRLkrEHNZ1d1yg==

mubhdcr1EugF/who

GKVThpCZVtY9m+c1Fos=

nkctk6m82Pno8fVf1ydrfAATjEJvRDxWwYwVjxGMIA==

pvFvmLjefiJ5IWvPaWSZKCk4

L7Vhm+sduit68jRIH4k=

hL6j/yJOaBqxEBE=

0ehJg24Ot+O6+glq

fLuQ9QUfvhqxEBE=

kj8Tk+ks8qO0BjegJAVIRvzyF7hxyblXhHMLjxGMIA==

fbEsS1zjAndVOUuKJh2HnGWtnmQg

CrSJBiq9FEgbO3iXjYHq

349o4SvGd6ONa4baf26ZKCk4

f703eo4Wud/r5v9BL+L+Tp0=

OFi0/02FMpps+gg=

+jsvlbdP/aqW1gY=

ZpHdFzM396f6oDRIH4k=

YWfAF3GfNaPzWVnHTTSEkmOtnmQg

Targets

    • Target

      1

    • Size

      60KB

    • MD5

      f86865bc1b7e91e8e07d2a886682a772

    • SHA1

      a496236c6d15ea25bca7afc6b0656fc1d1a78779

    • SHA256

      fb3720f555a4f24cbbb34901d750d439d9b56d7336e6d6a187dde5a723fc50ca

    • SHA512

      dc91a2706c49807575716a797aed3186259b0274b48f08202b9f66892a76d4cd4016419b454df4c3b768ae68e343524758d63e0e0af33f89d4f86f8e2dabd8db

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Xloader Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks