General

  • Target

    tmp

  • Size

    690KB

  • Sample

    220621-qqh55adfeq

  • MD5

    da4899c6d6bc7ed40cb8e708a511fcd1

  • SHA1

    a345d8f8a347445c7061ced6b39093c4ef3f1f29

  • SHA256

    cf6f665f23b44c9c347fc9d3fbb3f6b3ccf3ab82366959437213ad77346e757d

  • SHA512

    6dbee9ddb3c7b8ff41e3532dd5c1ec5a5d50097a5c76119319dd78afca7e9db6f95ef318c961aba3b510e55dfce4a9776aeaf293b0c3dd5b827ae11c2121d92e

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

ta3t

Decoy

breathdiagnostic.com

demo.gmbh

123y8.com

indianscoutrogue.com

jesusfiredept.com

x2-ape.net

lizuofangart.com

nerdsformula.com

pipstrips.com

overyonderhenly.com

botanicuochi.com

roomol.com

ard3ns.xyz

qbconsultancy.com

myromanticfactory.com

nailcolorgordonrdwilmington.com

3nigma.xyz

fsjjzssj.com

bigskytravel.net

musecoils.com

Targets

    • Target

      tmp

    • Size

      690KB

    • MD5

      da4899c6d6bc7ed40cb8e708a511fcd1

    • SHA1

      a345d8f8a347445c7061ced6b39093c4ef3f1f29

    • SHA256

      cf6f665f23b44c9c347fc9d3fbb3f6b3ccf3ab82366959437213ad77346e757d

    • SHA512

      6dbee9ddb3c7b8ff41e3532dd5c1ec5a5d50097a5c76119319dd78afca7e9db6f95ef318c961aba3b510e55dfce4a9776aeaf293b0c3dd5b827ae11c2121d92e

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks