General

  • Target

    2a1edd92233018fc3c33972e19ca63a3

  • Size

    146KB

  • Sample

    220621-rm7jzsgcb8

  • MD5

    2a1edd92233018fc3c33972e19ca63a3

  • SHA1

    79f10d83b210290437378d78a38451f69717fd3b

  • SHA256

    384b9f8ff8f8590c530561fddcc5c9eb9d086e8d5414ce4d0e6fab7ad2df7b58

  • SHA512

    b89bc1d284e982d7bcd02d73e979c2a597aff9934e980aba7113ed7d62a4c50c65013889ee15d3ec4c29fc034c2bda68edcbbddb1b238630848e4a1299d0f21f

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

6ec8

Decoy

jRVrOiU6P9SL

hBvtTXRps0YOiMK7wW4Yqfq8Nw==

HyX2Ohx73aQBbtxjU7Pzfg==

vzhVfL1jwJABICwP

x3pvuHsiLt6S

TlErGZ4JgmQfNVSxQWirnqdyRBo7SA==

UDFwtT+b/ohQnJQXBpWrVZyERBo7SA==

tl9gWu5Ng2YwenkR

SR9SnD6x7qEVh8n9WmVze4RKBqpIvLZ3

GlDQs56A5IckU3l1PEHT

2q+6jfdntUyrKWu0O4hlZoY=

ws8gw/+Y47tUzTx9prT+oJE=

mX6gcFZVqpVm/G9usbc=

9znSNHJSopVm/G9usbc=

KZxBj7bv/66K5hoASohlZoY=

86PIKEpEpz8dJ1oY

w8OZhBJ/zXGk1s7mZZnb5QbvwyWpROw=

YD+LAlhIpUQdgcFsQNgOlqaERBo7SA==

BWrdPt8lB/5g1Q==

IvVBvCQHcjwgXNeSvLo=

Targets

    • Target

      Acknowledgement Document.exe

    • Size

      241KB

    • MD5

      23f5b6b826923ad737d239e8d69c6fb3

    • SHA1

      ea339ae5e0b951588735c5321a8e248b2580e4c7

    • SHA256

      b914edf9af881ccbc5134d66cbd02cda42129d801b1a862b5a76ea24567b6383

    • SHA512

      c6f0565605122126c3eb7266edc16bd76645d1f3dd249d6059d09e349ee695c39062bfc4a7e5b8d76e566160de3f8eca8410c4d6322ae034b316df74cb45bd5e

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • ModiLoader Second Stage

    • Xloader Payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks