General

  • Target

    Order_SC00167861.js

  • Size

    355KB

  • Sample

    220628-l3x3laadh8

  • MD5

    59a6fbc96766f321e57bc303176e6668

  • SHA1

    e716a824708d6c441015b8f121c609904922d8ba

  • SHA256

    27e9285ffcecae79f52314558cdaffcfbbbdbcc10e220425daedb5b4663bde11

  • SHA512

    edfdb1cebea4f21027e3988e43a41312e38ca4375cd28d018c4cc6e0b1bd38f440c5074703a504899e1603b2096f552da4b98a3483ba7a0ef9e8d4f58d001b5e

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

r4wf

Decoy

eQLhwti8E4CX1m8bp0WK2Q==

axoAyf6nwR9Y43o1nFx+930=

vf9fMlHrgdcI

TRQU8PPgFWegAcLFsjQ5TUX2

CFXUiz7SjsLqcQ==

XKeIL6Nmg+8pokY+wjaooasXRQIt

NLSkgIdanO/4SNPAdlKUrIms7Q==

TTKhgqyuCnCmH7yGa12g8HXrnY/nKGI=

5X0d70pNfaYGRgI=

fXXOk9C1+U9bhkIBIqn8

dN7HmMiv/TtAgyP2tYrEG2Yq4Yw=

HRqUgbJeorn4Zg==

MZ7Sh6xm71vhCNLW

7iFsO188fKYGRgI=

o9VC9kgPVXmCz2gBIqn8

B0y+iMbD+lzhCNLW

ciUeBS0WbdHuVGH+xJU=

Q3334PeyxydNmzoBIqn8

kgHx3RbrgdcI

WQjgo8h9g6YGRgI=

Targets

    • Target

      Order_SC00167861.js

    • Size

      355KB

    • MD5

      59a6fbc96766f321e57bc303176e6668

    • SHA1

      e716a824708d6c441015b8f121c609904922d8ba

    • SHA256

      27e9285ffcecae79f52314558cdaffcfbbbdbcc10e220425daedb5b4663bde11

    • SHA512

      edfdb1cebea4f21027e3988e43a41312e38ca4375cd28d018c4cc6e0b1bd38f440c5074703a504899e1603b2096f552da4b98a3483ba7a0ef9e8d4f58d001b5e

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Xloader Payload

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Tasks