Overview

overview

10

Static

static

10

33.exe

windows10-2004-x64

10

34.exe

windows10-2004-x64

10

35.exe

windows10-2004-x64

10

36.exe

windows10-2004-x64

10

37.exe

windows10-2004-x64

10

38.exe

windows10-2004-x64

10

39.exe

windows10-2004-x64

10

40.exe

windows10-2004-x64

10

41.exe

windows10-2004-x64

10

42.exe

windows10-2004-x64

10

43.exe

windows10-2004-x64

10

44.exe

windows10-2004-x64

10

45.exe

windows10-2004-x64

10

46.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    22.zip

  • Size

    1.8MB

  • Sample

    220902-dzzs1sfdhr

  • MD5

    72c75f372a51053c1aedf92cd4b9dece

  • SHA1

    38136b40e73c057a43a4ae310ac4632093040d73

  • SHA256

    a7c1f4ae5c35b88e68b4d82db4c7e14d53922946d853569b5efd5050e7480229

  • SHA512

    8ed1de33634dabdf6a404a8aa061d1f5456cfa0a06df8a8e40a3b6d0c7ef1417ad4b9b4a316d22a7681420edb93676a352208d886113ae21749ce68d3b9d48e9

  • SSDEEP

    49152:1GD2jKzAZsfRYFHMAtSUZj7aRacFta8sfRnsfRlGD2QtAhTh:182Oz7RhAEYXsnAUz82QtSh

Score
10/10
formbookxloaderfofgiewbloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

iewb

Decoy

n8FLlgIlb1rSEg5hJ9xMbw4hcmR38Q==

5vIAIY+pt81OtWs+FdIEdk7Y

LHIKc+oWGIQUUlfAAtEEdk7Y

ePM/cX2jvHrS

5hvPEw22+fdvmJz3C8FIVq0=

mb9EeX2jvHrS

Dx2zIYNvfjo8VUo5

6jVPnyJekv2RAc4gLKNwEqQ=

KWatHyjdE5Gj1Ng=

t9lk70gzUAZty4qjbVjF

6eUBeFPzKBWT125BFNIEdk7Y

dZUXOIyqTJGj1Ng=

iL3TVh2Jl5QVStnzxcAhIL8=

J1prtyklUfZGR/xDD71IbkWRd2yx

s9FgCOBRW9bU0Y6jbVjF

RYCbQDzcFBhcylgu

Fl0BV/8RJm6F9QRg8LXXTLo=

0dhumHzrCCZ3wdQg7nFF1AlL6Tk=

xvL+iL6wwX+/wH9K4lbZ/A==

N0lVceIFD5Gj1Ng=

Extracted

Family

xloader

Version

2.9

Campaign

fofg

Decoy

FHyydxpFBs0S8b4ZlP7ZEtd/

EVaCEKb/cVV9xQ==

U9I5lke0IuU7vj5EXus=

rXD3AKPV3qUblOUsV41KMfU=

PwBSy5z56XNzIvnS3ygsKv0=

CQe1BLbSnGXX

HuhKjxhLhxqBy2FFz8WoFA==

QJymezEoLOFZ1T5EXus=

V8r5PAdwuGK2AUARohas

b1XV06ANH9s5uj5EXus=

3EiEhwo7Euw2tl8=

c2PjK8Izkydy5N8x

CXCkYf0m/qPrv8QajKyT6Oo=

pHjy+Mk0CqvWBXdCz8WoFA==

QjSwr3/j5rAyvz5EXus=

+edxANg/sU+k8YFQz8WoFA==

tWiQq3rqyl6cTAG9pA==

GeAyMQxBUOlDwD5EXus=

nQ5eoT2mEKkhDN2DwBek

JP5dIbHlrXXR8umDwBek

Targets

    • Target

      33.exe

    • Size

      176KB

    • MD5

      a2b59a275d7eb532b4976872fad38cc6

    • SHA1

      0006de71b9270b92c74efa8e58586cf2f7ad1e64

    • SHA256

      067d5253b293459e5454da99c42f3200f8bf7e2cb4ec0e876aac089ac46fe54b

    • SHA512

      5e84c3e7e79019ccb72331e3601b1b4e277ecb0d4728998268ea23e6e41328690596b58c13f53a590379f891b726a5f5c66334aadf74027d8babcdcbd2471777

    • SSDEEP

      3072:QdlpkYBi4+lgqcEehWo2z3sCs6dAkkg5opnFi8T2qM1jrkOfmG4X:Sp3+QEeIz3x3dAkkgoFJT21hmr

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      34.exe

    • Size

      180KB

    • MD5

      7677c811c83f21eb325cee4e19efd155

    • SHA1

      b443ae091cf1f897fc7e3a08fd16d4d1217a995c

    • SHA256

      e73d3a2c368dac48144eb131a29b79bafd11fc6434fc2afd8ee512a3bfe4871b

    • SHA512

      3b434afc88f534dbdd6727f47101c55d30e46b4b86039ba00356092b9c0693c6a042e117c00bcef4987a587a65b6d8f7992fbb108e2468f268e5e40fe5737e89

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hd/NYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdOM7j

    Score
    10/10
    xloaderloaderpersistenceratspywarestealer

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      35.exe

    • Size

      176KB

    • MD5

      675b7c7ed756d2c9bd3319802029a228

    • SHA1

      31b44c6668f81a997cfe99c240a8d9ecd35cbef4

    • SHA256

      a16f939e9b65316cddd172484406394ebda2fed078d611d774b942daa6c239dc

    • SHA512

      776753c4aba10b83f995580940e1100c88999514e25edf2c172073c2f130d98b92e36d0364b91dc16b97e26263c191f7e025778849b1c8255078234cfbe2e861

    • SSDEEP

      3072:bQ9NMqbEzJhsadCKYQIhWEGr+pTJB1qdKXhDD4q0yW6xPJNnwN5GSBCV0BVEm:bcMKQ+aUYIkr+lJ7qIXhDD4q0yHBNnwa

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      36.exe

    • Size

      176KB

    • MD5

      d68996bdcd5a2b28de82355a1107fb9f

    • SHA1

      f4ac00f5e4864a47da3569e0e75eb051e5ffd2bb

    • SHA256

      85668639c9ef2ed33488e13f4cfdb3f90342425c0f7a2ff014e77bd316e5581c

    • SHA512

      d7c34972a76078ffde2c0cf7b2be0e39ffb0b070fea4c8b04e7f0e9339a8d1c50c427af659c2f9e634a9c71f04a87d8a54cf4cf8880a0ebdeab5a49f072aa536

    • SSDEEP

      3072:LVz5TPJuR4ptWuN9X3kUAJefLJMfC0OfWKHFpfY9kn992ffG57AhohP:NFgOph9noeTJTPnfjnUzoh

    Score
    10/10
    xloaderiewbloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      37.exe

    • Size

      176KB

    • MD5

      67dc61588f11f816b92690ea723fcd8e

    • SHA1

      73fd5e1d4bc161d5aa803ed1db493ce7cbca5f75

    • SHA256

      35876cb065b7b1a590a882ab9b85539d567043c53362208955f69093855e9ea9

    • SHA512

      7995ff412f92a72eeffc14633d225fb0bb68bfb5c54f0babd13416be4e11ab035d7f4ea7875de42ddb9fd899f25810b56009ca8b26f6d88d255c59e6f1e89a01

    • SSDEEP

      3072:DO+opXUUl1BGq3gjSW7ho/xYTXdS3cR+Z7v+cj5ilpbvHi21PQdk775cxIh0d:DaDzsggjHe/xY7d4cR+Zv+cN4B1IOP5c

    Score
    10/10
    xloaderfofgloaderpersistenceratspywarestealer

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      38.exe

    • Size

      176KB

    • MD5

      8d832564ccf944aa80614078e59afca3

    • SHA1

      0eb7785515b2acc2c35fd4ec7b822fe97ef884b9

    • SHA256

      71d20cb55abb01e4cdb1d2f7a5e61f6048c34079970d5850b785386ca53c7c1a

    • SHA512

      c5a1a9acb1da0d57b057e0a1a8141b21f209d50ed838e03ee904364255e4889beaea43173e65d1188cd8057c6ac25f43328f0ba181e7ee34c8b49c34aa41bfc9

    • SSDEEP

      3072:xrtRM59Srdxq5+HIbTS4WGRbQ/0oqcMisygnrs4oEV4oyDaShxt/RZG0TQh/mxrC:9I596dYoo3SYbQMogyUY4hV4oyDa87Zi

    Score
    10/10
    formbookxloaderloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      39.exe

    • Size

      180KB

    • MD5

      12d0de0d9ba0e753b17a5572a3a23822

    • SHA1

      19ea0cdd98fbe21fd9b7a6c1a1a681d882c9e973

    • SHA256

      b38ccebbce70c75c88be4529e17377d914fcc21b63f9afec651299e68b3346a4

    • SHA512

      9f3c978c6793af877209b225bed86745160923f1db142015a0eb542207de43353998e50311914e7e46a29698dd779a2ed855e2d8fa34501bc570fc44144dd856

    • SSDEEP

      3072:2TFKD7rLrumkW7yyuMaEaGLoXgeg0KaMQC+t8j9o8mcW7sFBV:gKPrOmYyud/GLoXgj0KajC+Yo8mcCO3

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      40.exe

    • Size

      180KB

    • MD5

      12d0de0d9ba0e753b17a5572a3a23822

    • SHA1

      19ea0cdd98fbe21fd9b7a6c1a1a681d882c9e973

    • SHA256

      b38ccebbce70c75c88be4529e17377d914fcc21b63f9afec651299e68b3346a4

    • SHA512

      9f3c978c6793af877209b225bed86745160923f1db142015a0eb542207de43353998e50311914e7e46a29698dd779a2ed855e2d8fa34501bc570fc44144dd856

    • SSDEEP

      3072:2TFKD7rLrumkW7yyuMaEaGLoXgeg0KaMQC+t8j9o8mcW7sFBV:gKPrOmYyud/GLoXgj0KajC+Yo8mcCO3

    Score
    10/10
    formbookxloaderloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      41.exe

    • Size

      176KB

    • MD5

      228b0bc29a751779e97f60e14a1b9f57

    • SHA1

      0c735257db6d9afc8ee6a656a8634310411a049f

    • SHA256

      5480ecfb5e60326a88fe45eb2adf3d9bc67e26fc2fc7800609a467e6a5f77444

    • SHA512

      9a22551428299be14f05dfe3f0f1d710a1a15b794da3e0671abadd934fc576ba022458579d73cfe777c3599fd3c8859c118fa1b632cc7ce2c67108ad42af95f1

    • SSDEEP

      3072:yTjyF3P55Z+0IhW59LQUlOsdZNjIZfR5/VUmhFaIItneeVw65z:33h5JI8LQKj3NjIZfR5/uCFaIItlVw6

    Score
    10/10
    xloaderloaderpersistenceratspywarestealer

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral9

    • Target

      42.exe

    • Size

      180KB

    • MD5

      12d0de0d9ba0e753b17a5572a3a23822

    • SHA1

      19ea0cdd98fbe21fd9b7a6c1a1a681d882c9e973

    • SHA256

      b38ccebbce70c75c88be4529e17377d914fcc21b63f9afec651299e68b3346a4

    • SHA512

      9f3c978c6793af877209b225bed86745160923f1db142015a0eb542207de43353998e50311914e7e46a29698dd779a2ed855e2d8fa34501bc570fc44144dd856

    • SSDEEP

      3072:2TFKD7rLrumkW7yyuMaEaGLoXgeg0KaMQC+t8j9o8mcW7sFBV:gKPrOmYyud/GLoXgj0KajC+Yo8mcCO3

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral10

    • Target

      43.exe

    • Size

      180KB

    • MD5

      4655391b02be2427e3f1985ec687678b

    • SHA1

      6c05c1d258e3dfddd7b10053ab7d5574720678f7

    • SHA256

      8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0

    • SHA512

      2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    formbookxloaderloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11

    • Target

      44.exe

    • Size

      180KB

    • MD5

      4655391b02be2427e3f1985ec687678b

    • SHA1

      6c05c1d258e3dfddd7b10053ab7d5574720678f7

    • SHA256

      8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0

    • SHA512

      2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661

    • SSDEEP

      3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j

    Score
    10/10
    formbookxloaderloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      45.exe

    • Size

      176KB

    • MD5

      8918e6c9574a82a76d88ef4bdbcc7f07

    • SHA1

      9ca1f7bfffdd5b62e77e2b98a9938ba0eb35f314

    • SHA256

      4daaf3f047b0319b51b19ece40173f2fc691cb94651f744545ebe84da9383da9

    • SHA512

      ce9e494ed7a76f8ef368ced6a18bbd5bfe203eb05177c70ecd1394fd812681be2b1e8a6de57441f050b75f9f28a991887ddf57070908cc62b9cd12384d8fc3b9

    • SSDEEP

      3072:QdlpkYBi4+lgqcEehWo2z3sCs6dAkkg5opIFi8T2qM1jrkOfmG4X:Sp3+QEeIz3x3dAkkgoMJT21hmr

    Score
    10/10
    xloaderloaderpersistenceratspywarestealer

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13

    • Target

      46.exe

    • Size

      180KB

    • MD5

      8ae4b54233e81b57019d4b5a99bd8c2a

    • SHA1

      26fd130c30a1d71e45c75938c0f2c6d30b8a1536

    • SHA256

      f690ffee38ecd975fe66819463977ed1189c660c1a72db4cb8b6a957ea72fb6b

    • SHA512

      3445faa35303e0d790d24085da79edd8760efb2345bb000b6f3481f2219df1cc2f201fb00bfc3a4d3e490ecd0b5f527f2f00339ff42e07393fd8fa3a48603887

    • SSDEEP

      3072:3zUFGeFw82qbnsBWD4rF6aA/lY4RRSR5NClaYA5jmluZOsr1IW:YFG6ZVbnsDrFTAG4RRYCla/RrHI

    Score
    10/10
    xloaderloaderpersistenceratspywarestealer

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral14

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

9
T1060

Privilege Escalation

Defense Evasion

Modify Registry

19
T1112

Credential Access

Credentials in Files

8
T1081

Discovery

Query Registry

14
T1012

System Information Discovery

15
T1082

Lateral Movement

Collection

Data from Local System

8
T1005

Exfiltration

Command and Control

Impact

Tasks

static1

ratxloader
Score
10/10

behavioral1

xloaderloaderrat
Score
10/10

behavioral2

xloaderloaderpersistenceratspywarestealer
Score
10/10

behavioral3

xloaderloaderrat
Score
10/10

behavioral4

xloaderiewbloaderrat
Score
10/10

behavioral5

xloaderfofgloaderpersistenceratspywarestealer
Score
10/10

behavioral6

formbookxloaderloaderpersistenceratspywarestealertrojan
Score
10/10

behavioral7

xloaderloaderrat
Score
10/10

behavioral8

formbookxloaderloaderpersistenceratspywarestealertrojan
Score
10/10

behavioral9

xloaderloaderpersistenceratspywarestealer
Score
10/10

behavioral10

xloaderloaderrat
Score
10/10

behavioral11

formbookxloaderloaderpersistenceratspywarestealertrojan
Score
10/10

behavioral12

formbookxloaderloaderpersistenceratspywarestealertrojan
Score
10/10

behavioral13

xloaderloaderpersistenceratspywarestealer
Score
10/10

behavioral14

xloaderloaderpersistenceratspywarestealer
Score
10/10