General

  • Target

    SKM_22903091909461.exe

  • Size

    286KB

  • Sample

    221004-gwf4aafah2

  • MD5

    dcbe72fe8885d385c4846f685bd86703

  • SHA1

    bb2abd72752d26185f294b8b4d56cb4dddeb9098

  • SHA256

    cddae169f7d487788ec3c3bbcdb635bf7e1e56d5559c896df6838d0493b4b793

  • SHA512

    60fcffc7962946932c103fd307ce04ac1f88c6cef4d83d11d4c0beae61dd680e5e9a7a3eca8cf30dca8245eb087e460a114fce8fa1bf983746a1698f60ce6dd4

  • SSDEEP

    6144:XoIuxQbmW7bCd5QpS2yfyGFfhNsilj/OKiHd9RLd+JnWX:XRumbmWPCjQpenxl/9IjgW

Malware Config

Extracted

Family

formbook

Campaign

bwak

Decoy

NCcjR+OBqZ74WJDsfPJo

JY0OQKQB32L1ntp62t8usBfKoU9VI68J

dcG61oUPFxaTZg==

XE/9YHBRgKsnnShYQBE=

5dHmpJyR7TeXwL8=

mAqXGjShf1/stqg=

bRZ9qfhpXHGA5y9ufCJZbc4w

TYNV3Jbof+31KUVsb8guKjnm5A==

ThV4+K0ePoi3Po7sfPJo

VkU9SX1govoeHtHsfPJo

EInV01vKjwK5T98pHg==

helinBiLSuTzKDc7hdk8ag==

Pe9iDMw9N1BcavFERssBTds6

Gc0N53DNN56SsPOYJYF9Lp0t

obKr2CMIQ6DI3jTZKQB4QKM9sNDB

jI9cvsWklgy5T98pHg==

YMtH5rMbDI4MV5O2zgZg

kAKH4Ib7fqZbZtN40NlAmoT4aSgnoQ==

HBw9EyX/7Q81lNZ3xgppv9GpaSgnoQ==

HNEspLCl6DAgvUTeUQJGfQ==

Extracted

Family

xloader

Version

3.8

Campaign

bwak

Decoy

NCcjR+OBqZ74WJDsfPJo

JY0OQKQB32L1ntp62t8usBfKoU9VI68J

dcG61oUPFxaTZg==

XE/9YHBRgKsnnShYQBE=

5dHmpJyR7TeXwL8=

mAqXGjShf1/stqg=

bRZ9qfhpXHGA5y9ufCJZbc4w

TYNV3Jbof+31KUVsb8guKjnm5A==

ThV4+K0ePoi3Po7sfPJo

VkU9SX1govoeHtHsfPJo

EInV01vKjwK5T98pHg==

helinBiLSuTzKDc7hdk8ag==

Pe9iDMw9N1BcavFERssBTds6

Gc0N53DNN56SsPOYJYF9Lp0t

obKr2CMIQ6DI3jTZKQB4QKM9sNDB

jI9cvsWklgy5T98pHg==

YMtH5rMbDI4MV5O2zgZg

kAKH4Ib7fqZbZtN40NlAmoT4aSgnoQ==

HBw9EyX/7Q81lNZ3xgppv9GpaSgnoQ==

HNEspLCl6DAgvUTeUQJGfQ==

Targets

    • Target

      SKM_22903091909461.exe

    • Size

      286KB

    • MD5

      dcbe72fe8885d385c4846f685bd86703

    • SHA1

      bb2abd72752d26185f294b8b4d56cb4dddeb9098

    • SHA256

      cddae169f7d487788ec3c3bbcdb635bf7e1e56d5559c896df6838d0493b4b793

    • SHA512

      60fcffc7962946932c103fd307ce04ac1f88c6cef4d83d11d4c0beae61dd680e5e9a7a3eca8cf30dca8245eb087e460a114fce8fa1bf983746a1698f60ce6dd4

    • SSDEEP

      6144:XoIuxQbmW7bCd5QpS2yfyGFfhNsilj/OKiHd9RLd+JnWX:XRumbmWPCjQpenxl/9IjgW

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks