General

  • Target

    STD 35 GA Plan_PDF.exe

  • Size

    662KB

  • Sample

    220707-ekm2caehg4

  • MD5

    1697d5a8c04a7220e7bd25e3a7b4ada5

  • SHA1

    5b71b005e84f5dcbca487c24f7662303d0dd656b

  • SHA256

    44079f7afc8f2b9900564b14b8e3e9e5b8de7ad0b4a1d514e5ff644def494d4e

  • SHA512

    3c68a2b785108b4ef26e122989b28f8126578815c8de0d8f80cdc251d3d86a31059b4aecd379fd6bde8aafcbc58bc2523e7dbaada706c3b3921d4ff2b192ae1f

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

iewb

Decoy

n8FLlgIlb1rSEg5hJ9xMbw4hcmR38Q==

5vIAIY+pt81OtWs+FdIEdk7Y

LHIKc+oWGIQUUlfAAtEEdk7Y

ePM/cX2jvHrS

5hvPEw22+fdvmJz3C8FIVq0=

mb9EeX2jvHrS

Dx2zIYNvfjo8VUo5

6jVPnyJekv2RAc4gLKNwEqQ=

KWatHyjdE5Gj1Ng=

t9lk70gzUAZty4qjbVjF

6eUBeFPzKBWT125BFNIEdk7Y

dZUXOIyqTJGj1Ng=

iL3TVh2Jl5QVStnzxcAhIL8=

J1prtyklUfZGR/xDD71IbkWRd2yx

s9FgCOBRW9bU0Y6jbVjF

RYCbQDzcFBhcylgu

Fl0BV/8RJm6F9QRg8LXXTLo=

0dhumHzrCCZ3wdQg7nFF1AlL6Tk=

xvL+iL6wwX+/wH9K4lbZ/A==

N0lVceIFD5Gj1Ng=

Targets

    • Target

      STD 35 GA Plan_PDF.exe

    • Size

      662KB

    • MD5

      1697d5a8c04a7220e7bd25e3a7b4ada5

    • SHA1

      5b71b005e84f5dcbca487c24f7662303d0dd656b

    • SHA256

      44079f7afc8f2b9900564b14b8e3e9e5b8de7ad0b4a1d514e5ff644def494d4e

    • SHA512

      3c68a2b785108b4ef26e122989b28f8126578815c8de0d8f80cdc251d3d86a31059b4aecd379fd6bde8aafcbc58bc2523e7dbaada706c3b3921d4ff2b192ae1f

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks