General

  • Target

    PURCHASE ORDER INQUIRY.zip

  • Size

    861KB

  • Sample

    220930-sn1y9sdhg7

  • MD5

    e5d77e2a170a4bd3d050b7b3596de535

  • SHA1

    cae3584e5716702649859745d43a9b258cf5a264

  • SHA256

    bde0b375d6dabfcbb9f4b193eebd264caa732b1a2ae55956b20ab6d3369a8043

  • SHA512

    7d95f3154bbf07504f9a56b56c99507e7d5a2439b37a36a2f5ea68709b5ed5fc37eeecbd1bfd0c1b813f038f9bdea4ea47e776943c8b589c31c02f626aefdeee

  • SSDEEP

    12288:aQmp2Gs1TJUUtvmzl/Tf7is2K4RHx9dA0fmK3Xldb/PaTLyVD+avEyvkhVIpTkwm:aQaOtJUUtaBGpRj1mw1N/PAuVzdMoTkF

Malware Config

Extracted

Family

formbook

Campaign

h96v

Decoy

EwxgE1pivQP6//NV

0dAX4C50bNv1eSQMIJi5LyHB

MeT76rbcPZc/yHnyH3y5LyHB

xLgAAfCooAj6//NV

TyNe4jJrUZ3GfXQ=

LSSBXyM/8F5RO80mPJTN

1dUXAcD2nqhHtQ==

zQpE/r0sY8j5

tZjyrh1ZHZkUxjernQ==

DbzRUxm1nqhHtQ==

fk9WTDLOsA76//NV

u3SEf3z4IqInrA==

mZjmpBQ89HIAxjernQ==

F+Iq1S5Muf/6//NV

n1luGnqM9RSED7wlW6a5LyHB

1c0OFw3BtT0wp087iolUJ84Lna7ZC5B8iA==

QAwY2iZwWt467O5fduJmY/mTkdIOKd4=

kEtWIOiEY/7o1Id4pPg=

ENPizKc5HY3UeD6h5l3A7kmXWQ==

3/Mw/pFqGZb5

Extracted

Family

xloader

Version

3.5

Campaign

h96v

Decoy

EwxgE1pivQP6//NV

0dAX4C50bNv1eSQMIJi5LyHB

MeT76rbcPZc/yHnyH3y5LyHB

xLgAAfCooAj6//NV

TyNe4jJrUZ3GfXQ=

LSSBXyM/8F5RO80mPJTN

1dUXAcD2nqhHtQ==

zQpE/r0sY8j5

tZjyrh1ZHZkUxjernQ==

DbzRUxm1nqhHtQ==

fk9WTDLOsA76//NV

u3SEf3z4IqInrA==

mZjmpBQ89HIAxjernQ==

F+Iq1S5Muf/6//NV

n1luGnqM9RSED7wlW6a5LyHB

1c0OFw3BtT0wp087iolUJ84Lna7ZC5B8iA==

QAwY2iZwWt467O5fduJmY/mTkdIOKd4=

kEtWIOiEY/7o1Id4pPg=

ENPizKc5HY3UeD6h5l3A7kmXWQ==

3/Mw/pFqGZb5

Targets

    • Target

      PURCHASE ORDER_xslx.exe

    • Size

      1.3MB

    • MD5

      29ddf9bc83a82aa5a5c130e634190270

    • SHA1

      cc28d16ec623eb5ecdc42508205e015708a07f25

    • SHA256

      02f48efdcdc0eb31789fd2c571acbc10c5e5fc337d3b01ce1d442784646c43d8

    • SHA512

      e59f1efc9ca57355cb2707aee59eaaee3ac6d96fd36f8520e3200203d79f0f39756d019843227ad7bc60f6ddb38b00ba12fb78ebdd6e558831531440fe920db5

    • SSDEEP

      24576:tp/pB0n0Kf2fRjRowjP/PwYVBLoglhppppppp:tp/pmnZfcjj3oOCglhppppppp

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

    • Target

      Purchase Order Specifications.pdf

    • Size

      2KB

    • MD5

      c9abaff60d8aa3558f28cac7cd67bafe

    • SHA1

      aea285af089a32d6b34ca1213c39d1cc228e789c

    • SHA256

      13146e94eb84297749c9d894ca8bee1e3b394a26c77e3f8414992dcece9cdb91

    • SHA512

      10c1bf863b6b4199d57b975b0197893297c68c035f14a07d0ee1ebbe4ae4f0b46d2d5aed7a3d7e1ae81e325caa4b0a2b173857c485fa919eba78224b0a639936

    Score
    1/10

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks