General

  • Target

    SecuriteInfo.com.W32.AIDetectNet.01.29790.29870

  • Size

    306KB

  • Sample

    220621-qwsxhsgae9

  • MD5

    0e27675635ef7e5475326e19d137b6a3

  • SHA1

    25c0dfa8e0039284cea4712acbb792fda42b2840

  • SHA256

    60e52790f183036e12c61a0f9eb0cec90e757f8e862a9a49144849b9ceffb1c3

  • SHA512

    ab35053db7b0f042afd40706f7ba9ea425e2f93e518571b84850ecd010408b227b52c9accee4a536721a88d985a1703f2de757ceb61e49932a3ad8393ea1417d

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

r8f2

Decoy

HYm4fEDFPI26MBjBr3sK

YIX49qUVzl6Xn02n8xYC

vmWcRSr9Ly20njNL1ZIIOYCIzg==

xlygGqfnYzqm2IikIGT+bA==

gygguaFpZcHAeBacXm6VpGF3ilxt

LKURTm07QBOdj0Kn8xYC

k7nldyW+NHWWQ907Ukwb

cfmMLf5Svg2W4w==

Zn9zNsPuXbOvGMh6PlJes7lAmNc=

Um1tOvMNU2XUvlqn8xYC

BHfeBiieV/MThmTt/DQ=

2NH3svsZEt0nXQwo

GskKHpbMMQN/dGFsqg==

fn18FMla0J/ua3en8xYC

8WKhzc8r2FlTgBox

+6vxDLW6Ag2MyYapIGT+bA==

t2pzEvGF9oeOUQYwuIwhjlopaL1l

gHHP6lSvoXj8

6JHBccXI7feJkICGvQ==

iKebQNmWyRiAk0pmpA==

Targets

    • Target

      SecuriteInfo.com.W32.AIDetectNet.01.29790.29870

    • Size

      306KB

    • MD5

      0e27675635ef7e5475326e19d137b6a3

    • SHA1

      25c0dfa8e0039284cea4712acbb792fda42b2840

    • SHA256

      60e52790f183036e12c61a0f9eb0cec90e757f8e862a9a49144849b9ceffb1c3

    • SHA512

      ab35053db7b0f042afd40706f7ba9ea425e2f93e518571b84850ecd010408b227b52c9accee4a536721a88d985a1703f2de757ceb61e49932a3ad8393ea1417d

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Xloader Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks