Overview

overview

10

Static

static

orden grande pdf.exe

windows7_x64

1

orden grande pdf.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    orden grande pdf.exe.xz

  • Size

    100KB

  • Sample

    220627-k38nnaaaep

  • MD5

    82bab8ebf2949ac930f84e71b1ff66fb

  • SHA1

    ff5ddc3759591dccb2b3ec5bd37f67d0d9ec57ce

  • SHA256

    7e05beb1f3567f6c96823777d029ceb27c43e7f275304e57b28f6c42bbbc099c

  • SHA512

    5dee480e9380eac5ec94270809c348636b09b2f1f737f148df0003b09d45abcb4548a842e2c9376196cfd7400612a6bb562639d6af6887d7efbbd5468f2c4fc4

Score
10/10
formbookmodiloaderxloadergqvvn7akloaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

gqvv

Decoy

keyclash.com

canadianinspiration.com

testmanagement.xyz

doxpunk.xyz

kodacult.com

snatchbra.net

313370955.com

sarochin.com

norozoto.xyz

nbpanthers.com

colombiaartesanias.com

m57hwtiuu7h.com

tsaerac.com

alugiare.com

elizeusomautomotivo.com

fgijjisdifsd.xyz

isecurewebsites.com

incomeviaonline.com

caribbeanbrunch.com

alveus-solarboote.com

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

modischoolcbse.com

theneverwinter.com

rszkjx-vps-hosting.website

fnihil.com

1pbet.com

nnowzscorrez.com

uaotgvjl.icu

starmapsqatar.com

ekisilani.com

extradeepsheets.com

jam-nins.com

buranly.com

orixentertainment.com

rawtech.energy

myol.guru

utex.club

jiapie.com

wowig.store

wweidlyyl.com

systaskautomation.com

Targets

    • Target

      orden grande pdf.exe

    • Size

      241KB

    • MD5

      149d29a68788c9cd599cba389698ed47

    • SHA1

      cad8135bbbee484b91b87df367631b9043c2f403

    • SHA256

      b92800b4c8d2200d261f52287439016dc29ba57a73d428015ab05ee98a19c159

    • SHA512

      6026a7692a4a745518f2c8404a1c4b4c08e8c66f2d6fe0c9385c73d8a125bb26bba8496b4f9a492d3c8bc73140ba2173d3583435318245fe5ea0004e51a916c7

    Score
    10/10
    formbookmodiloaderxloadergqvvn7akloaderpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook Payload

      rat

    • ModiLoader Second Stage

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks