General

  • Target

    tmp

  • Size

    502KB

  • Sample

    220627-eyn6kaahh5

  • MD5

    6237a36be522069ff7f84128c2cbb5c4

  • SHA1

    2c57d875e90ef11903529ec81862aa01e8945129

  • SHA256

    8261a237ce6bd2bfae4c46b2e8a338b00ea9047f1fa6c5cc9ac1e6d00f0a3a06

  • SHA512

    c36ae59fca8d0345b1ccf19838894ca2103cab1222c2e2f00f56e57d26d50cbeda24034e5dba05bd2d7cb533997b2235a4adddc992d5069938287d1bbad0855e

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

iewb

Decoy

n8FLlgIlb1rSEg5hJ9xMbw4hcmR38Q==

5vIAIY+pt81OtWs+FdIEdk7Y

LHIKc+oWGIQUUlfAAtEEdk7Y

ePM/cX2jvHrS

5hvPEw22+fdvmJz3C8FIVq0=

mb9EeX2jvHrS

Dx2zIYNvfjo8VUo5

6jVPnyJekv2RAc4gLKNwEqQ=

KWatHyjdE5Gj1Ng=

t9lk70gzUAZty4qjbVjF

6eUBeFPzKBWT125BFNIEdk7Y

dZUXOIyqTJGj1Ng=

iL3TVh2Jl5QVStnzxcAhIL8=

J1prtyklUfZGR/xDD71IbkWRd2yx

s9FgCOBRW9bU0Y6jbVjF

RYCbQDzcFBhcylgu

Fl0BV/8RJm6F9QRg8LXXTLo=

0dhumHzrCCZ3wdQg7nFF1AlL6Tk=

xvL+iL6wwX+/wH9K4lbZ/A==

N0lVceIFD5Gj1Ng=

Targets

    • Target

      tmp

    • Size

      502KB

    • MD5

      6237a36be522069ff7f84128c2cbb5c4

    • SHA1

      2c57d875e90ef11903529ec81862aa01e8945129

    • SHA256

      8261a237ce6bd2bfae4c46b2e8a338b00ea9047f1fa6c5cc9ac1e6d00f0a3a06

    • SHA512

      c36ae59fca8d0345b1ccf19838894ca2103cab1222c2e2f00f56e57d26d50cbeda24034e5dba05bd2d7cb533997b2235a4adddc992d5069938287d1bbad0855e

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Xloader Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks