Overview

overview

10

Static

static

Ponuda_674...22.rar

windows7-x64

3

Ponuda_674...22.rar

windows10-1703-x64

3

Ponuda_674...22.rar

windows10-2004-x64

3

Ponuda_674...22.exe

windows7-x64

10

Ponuda_674...22.exe

windows10-1703-x64

10

Ponuda_674...22.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Ponuda_67483346_Ofertaz_Q248mm2022.arj

  • Size

    207KB

  • Sample

    221005-qdcsksefbn

  • MD5

    f348415daafc989e7381b16beedd8a3f

  • SHA1

    b4dc641f0ff6924f3f2d5533ff3e091cf811ee4f

  • SHA256

    3c69356d69999b72956a442a63efef53b51b94d281753e228ff1f253768a9e34

  • SHA512

    8989b52e5c63aa41efbaa6912a72ce015bbe576307ad65ac599655dd88b18d3a25a04f0112e178c1533b4e62993cc905bcfa57c7e1fc867dbb4b4caafb011ac6

  • SSDEEP

    6144:ND/awktSbjl+/MstN76X+p0UJvDGQ/FsB4UG5LubWKlB//Ap:ND/vk0+/hB6X+p04DGSFsB4UG9IXBHAp

Score
10/10
formbookxloadermt88loaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

mt88

Decoy

syzbf32.xyz

pertlines.com

vybaveniprocyklostezky.com

elianmsalas.tech

a-snag-tokei-kaitori.com

tuvistaing.com

whoyoucall.net

l8e9gr.xyz

sophrologuemontevrain77.com

ciclean.com

the-roel.com

campgreencove.com

foremostbookkeeping.com

zamanscorner.com

efeturozemniyet.com

penelope.team

murata.life

solfuls.com

tradefitinvesting.com

skinbid.pro

Targets

    • Target

      Ponuda_67483346_Ofertaz_Q248mm2022.arj

    • Size

      207KB

    • MD5

      f348415daafc989e7381b16beedd8a3f

    • SHA1

      b4dc641f0ff6924f3f2d5533ff3e091cf811ee4f

    • SHA256

      3c69356d69999b72956a442a63efef53b51b94d281753e228ff1f253768a9e34

    • SHA512

      8989b52e5c63aa41efbaa6912a72ce015bbe576307ad65ac599655dd88b18d3a25a04f0112e178c1533b4e62993cc905bcfa57c7e1fc867dbb4b4caafb011ac6

    • SSDEEP

      6144:ND/awktSbjl+/MstN76X+p0UJvDGQ/FsB4UG5LubWKlB//Ap:ND/vk0+/hB6X+p04DGSFsB4UG9IXBHAp

    Score
    3/10
    behavioral1behavioral2behavioral3

    • Target

      Ponuda_67483346_Ofertaz_Q248mm2022.exe

    • Size

      271KB

    • MD5

      22a4df7a24943c0e6a133cf2dc835fac

    • SHA1

      00ca0d802b1412bdef7d6cdcaee1055a8d882999

    • SHA256

      c4e3a75d9d824f56a85a5d57f51d6631447cf4b25e535bf0cfc30f89cb2780f3

    • SHA512

      6e13d1f6ef8735f6d7790620c18fd64edc582f22d4f47be0f90737d445502797a81ec2fd571226544546242456fb2cd66510dfdddf8d078dde5a70b5a8725e96

    • SSDEEP

      6144:dNeZT/9uivR9dYpsMNHYw0fRkaeeFJiX2qJozqP:dN6uG/YpX/XEJ02/w

    Score
    10/10
    formbookxloadermt88loaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader payload

      rat

    • Adds policy Run key to start application

      persistence

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral4behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks