General

  • Target

    smss.exe

  • Size

    473KB

  • Sample

    220626-gry4asheel

  • MD5

    af158cff1deb238eb10b33b07d08a61e

  • SHA1

    e0229b402990fad0fe92db278b3f4a3ed7a9767d

  • SHA256

    42e5467c1516b5291491f4acbac29889575738c9f0652655ce7b7eeffa2374d4

  • SHA512

    7c32eedea122a63ae3f6b1216e8ae9ec8141cf870ac0d456f3d7efe52a5e881253fa07596299d221acc6ff1a46915edcf31952eaee5d389249c309b85ff5f0c2

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

iewb

Decoy

n8FLlgIlb1rSEg5hJ9xMbw4hcmR38Q==

5vIAIY+pt81OtWs+FdIEdk7Y

LHIKc+oWGIQUUlfAAtEEdk7Y

ePM/cX2jvHrS

5hvPEw22+fdvmJz3C8FIVq0=

mb9EeX2jvHrS

Dx2zIYNvfjo8VUo5

6jVPnyJekv2RAc4gLKNwEqQ=

KWatHyjdE5Gj1Ng=

t9lk70gzUAZty4qjbVjF

6eUBeFPzKBWT125BFNIEdk7Y

dZUXOIyqTJGj1Ng=

iL3TVh2Jl5QVStnzxcAhIL8=

J1prtyklUfZGR/xDD71IbkWRd2yx

s9FgCOBRW9bU0Y6jbVjF

RYCbQDzcFBhcylgu

Fl0BV/8RJm6F9QRg8LXXTLo=

0dhumHzrCCZ3wdQg7nFF1AlL6Tk=

xvL+iL6wwX+/wH9K4lbZ/A==

N0lVceIFD5Gj1Ng=

Targets

    • Target

      smss.exe

    • Size

      473KB

    • MD5

      af158cff1deb238eb10b33b07d08a61e

    • SHA1

      e0229b402990fad0fe92db278b3f4a3ed7a9767d

    • SHA256

      42e5467c1516b5291491f4acbac29889575738c9f0652655ce7b7eeffa2374d4

    • SHA512

      7c32eedea122a63ae3f6b1216e8ae9ec8141cf870ac0d456f3d7efe52a5e881253fa07596299d221acc6ff1a46915edcf31952eaee5d389249c309b85ff5f0c2

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Xloader Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks