Overview

overview

10

Static

static

1

Purchase O...25.exe

windows7-x64

10

Purchase O...25.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    10e55528343098fef510828eea445cddd10d15d04e119ccadc3745c19adc458c

  • Size

    384KB

  • Sample

    221004-ew6mtsbhfl

  • MD5

    a6afd9a11ddb26ea9197b5e6555fd127

  • SHA1

    0235b4f30f97002e80903cb123fc31a17c355e5d

  • SHA256

    10e55528343098fef510828eea445cddd10d15d04e119ccadc3745c19adc458c

  • SHA512

    1e31ea3796cf09e9337eb645489d8de5ef794e5bfeafecb43b1979147eaebe081528d0edee1cf6d1cc8a044c20e2c296204429b5f70b64355ffa90a3046ac1b6

  • SSDEEP

    6144:j0YnOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOE:VOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOw

Score
10/10
formbookxloaderygkploaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

ygkp

Decoy

cbdlively.com

1nfo-post.com

janejohnsonlmt.com

autotradecryptoswithjack.com

mustang-international.net

dreamthorp.com

alexandratanner.net

exilings.com

gzjdgjg.com

51minzhu.com

wgv.info

raymondjamesconsult.com

omariblair.com

vaalerahealth.com

outdoorvoiceshop.com

spbo.info

blasiandating.online

c01-cdn48-oxble.xyz

mrmycology.com

installturbooax.com

Targets

    • Target

      Purchase Order MRQ-5525.exe

    • Size

      322KB

    • MD5

      aac47b26622b7b112abb2cf4545409b4

    • SHA1

      a1878da3ea31f946527897a759ffb1c9393fe426

    • SHA256

      f46d6d7bf1c9f466498c2a11c9c96fcc594c3490db04e763f81e7552f7ae6764

    • SHA512

      ec2eb8dc95fab52b7d5a8419dd4727e185b23e355de17fbbd8c512f84f07ac1822307c76f9239861ce6266f4dc71e568c7246c6321da0d02cce0674c231f3ef9

    • SSDEEP

      6144:T0YnOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOy:lOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO3

    Score
    10/10
    formbookxloaderygkploaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks