Overview

overview

10

Static

static

Payment_advice.exe

windows7_x64

3

Payment_advice.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Payment_advice.exe

  • Size

    769KB

  • Sample

    220624-q2dd1sfdd9

  • MD5

    560d32891531b1b707f3382ae9c56b85

  • SHA1

    f18aa28ee289221ca9a6bb67a8be92f4be087994

  • SHA256

    6481c836c532a3f055c0239f0459af303c5eda0c95a3f0283bba568b060967e5

  • SHA512

    e1f4fae2b4c0d40db1052995cc5d9e86ea85e838492ac42c0762fd6e916eab1f014fb3f17a20a371679f95ab780bca4e7da2b0bb78f779e2c6560206f97a0178

Score
10/10
xloaderv4qpdiscoveryloaderpersistenceratspywarestealersuricata

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

v4qp

Decoy

je1XQKU1LfJPVLk=

nvf41a7FsTLs6uB/g+CR

U7mryF6DctZn6GEjr9Bm4g==

1SONGrPdh7wGEOXp3g==

2xX859r7qOFq7GYkr9Bm4g==

IYtzVUx0Oo0HmZawLQAARDvBf4dL

NH3iuBPNSzZTvpw/4KaG

rDehfiqIPbdMBS8G1g==

xhb2uJ0eBwo7k3djqxh60xoNt4VoeQ==

AFtKux3JgPGRkx3xUsciR6piSg==

m+3VoJadWcBvOAPpzKUNPoAxyplS

1DWKULdka3mxIKhEqGxQr7gxyplS

DGlFGBqWi5CtrCX9alyTuPzq

muvVM4slyTfxORwAZisVksCM78aSEVo=

D3biNgUbyg9E5pl+

/+1QLPssvl/Xxg==

I4lzTjaAcc1iBS8G1g==

wSwc4MmbShojhlZCrniTuPzq

jN5YO6ZXSfJPVLk=

4TUS4+ANuqHCRTM9sniTuPzq

Targets

    • Target

      Payment_advice.exe

    • Size

      769KB

    • MD5

      560d32891531b1b707f3382ae9c56b85

    • SHA1

      f18aa28ee289221ca9a6bb67a8be92f4be087994

    • SHA256

      6481c836c532a3f055c0239f0459af303c5eda0c95a3f0283bba568b060967e5

    • SHA512

      e1f4fae2b4c0d40db1052995cc5d9e86ea85e838492ac42c0762fd6e916eab1f014fb3f17a20a371679f95ab780bca4e7da2b0bb78f779e2c6560206f97a0178

    Score
    10/10
    xloaderv4qpdiscoveryloaderpersistenceratspywarestealersuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

File Permissions Modification

1
T1222

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks