General

  • Target

    tmp

  • Size

    451KB

  • Sample

    220621-qz8r5sdgcj

  • MD5

    9e1bb80ff1f6f5181ed26c62ef3de29d

  • SHA1

    5c37096275b5947dfd68ccacc92eec204fa73883

  • SHA256

    a92f8917b2e98217ede5359f7906dd0a60df26e087a1e1c33b81797a334fb448

  • SHA512

    f1493090882bbe106508b50a0dcc8ac9966b157837f3d3d428b5b1977bcda3ea00eb067b5f925add5a38e069cfb4e7ce63be49ba8db29b23eb171290226e7004

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

rb1k

Decoy

Hy3kKk3exSb8BwggZ6MfKxQ=

NCL+/Dy1jhSUG9mRm0U=

wWOomCbzt4pHcH22F16ZDMRcKw==

WTIg8VQo+NeSJsTaLk6M9XQi

GxTnP34PxKGMqI0aDg==

BCLmUMWYgpQ0hmDGRvcILQM=

ILk0ukAA71UFWNrW

aHq3rPmIgJpVF+C9GQ==

8jYg+GYnGycf+ufa9Fo=

gQpOLax1ZUbL5at4u1SkP/XMaS0=

s1abd4QIyia5Ta6zEUSM9XQi

JDL1dr1IE+a1q4zB

24b2gBbkpvG81Nh1rLjxJw==

U5KEePzSsY5a/WYuVdUXnycmbPcnk6RB

D+TYrgrRwtaL5YIUEQ==

T1gpjLMr70QZODL8/UOM9XQi

f3Efb+StKpP+MQ==

fUfDKVLlzfcCFgo=

23rI2NitbuCL

ypQDXuCwKpP+MQ==

Targets

    • Target

      tmp

    • Size

      451KB

    • MD5

      9e1bb80ff1f6f5181ed26c62ef3de29d

    • SHA1

      5c37096275b5947dfd68ccacc92eec204fa73883

    • SHA256

      a92f8917b2e98217ede5359f7906dd0a60df26e087a1e1c33b81797a334fb448

    • SHA512

      f1493090882bbe106508b50a0dcc8ac9966b157837f3d3d428b5b1977bcda3ea00eb067b5f925add5a38e069cfb4e7ce63be49ba8db29b23eb171290226e7004

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Xloader Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks