Overview

overview

10

Static

static

ORDER CONF...21.exe

windows7-x64

10

ORDER CONF...21.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ORDER CONFIRMATION_AP65425652_032421.exe

  • Size

    315KB

  • Sample

    221017-hkrw3sbaeq

  • MD5

    3e1ecb39e6a09031473e9583cceb9d53

  • SHA1

    6b5882fc292ba34c38e67d322abdc09492d64ed9

  • SHA256

    7f53bd1ec3c75fe6f9c52cb4d1d443cf04ccb43f16faa8bd6ffbdd8b465b049f

  • SHA512

    a0fc051979b6a962a5591417a98630f670949f0b42316640c4ff41cb1ce13a9b154ad61bf77c77e0c1e2735459e1bc12b848382a4630ffa564fa4ac202372acf

  • SSDEEP

    6144:obE/HUGMJJpXPV/Wwv/SG1zV5poES6rMK0DGnDkKy1ZpXMSC5rwTCAw2C:obJzPt/nFlV/oESn+c1ZpXMSC5rXV2C

Score
10/10
formbookxloadernrlnloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

nrln

Decoy

IG7zJSm49UqTTuu/N/oTCIg=

CVLdAPgw0CRSMuZnRRU=

PiA5Z3umP2NyX81VGQhjWyS59nFYhXiG

5i6p4GeQqtBgNRfGNQ==

5984keYswxh8mGZHz4ipAHtQ

VNJaK4Gh0CrOvHpW/p353A==

71rEtrL2icToyKGhcWrTxjsFU5T98zeO

r3q1sy1iZaL+2XIUAob7yw==

9+83Qkrk/vV/jVXsDvoTCIg=

aMFAgYF1prov8/UErH/Y1A==

Alqtx/0rxwEbCLdudftl

ImCbnglBSUHF0mv2tTSP40bPeYao

s4DFNvAJ4GIJ+g==

phOa6mtS8QQICuZnRRU=

7TSu5vqRtB45EZtf4WDSTBHPeYao

ImPWqwUUIVWMQLyMbUab7tmspvNCcT8=

HF7jKjbGox2SAffTPw==

yAM3mOQot5l+cD0ikR5MGp8=

UYzW0/8z70JcQenVLidu1kLPeYao

OoCznp5UWz+hT9OBFXbfVhXPeYao

Extracted

Family

xloader

Version

3.8

Campaign

nrln

Decoy

IG7zJSm49UqTTuu/N/oTCIg=

CVLdAPgw0CRSMuZnRRU=

PiA5Z3umP2NyX81VGQhjWyS59nFYhXiG

5i6p4GeQqtBgNRfGNQ==

5984keYswxh8mGZHz4ipAHtQ

VNJaK4Gh0CrOvHpW/p353A==

71rEtrL2icToyKGhcWrTxjsFU5T98zeO

r3q1sy1iZaL+2XIUAob7yw==

9+83Qkrk/vV/jVXsDvoTCIg=

aMFAgYF1prov8/UErH/Y1A==

Alqtx/0rxwEbCLdudftl

ImCbnglBSUHF0mv2tTSP40bPeYao

s4DFNvAJ4GIJ+g==

phOa6mtS8QQICuZnRRU=

7TSu5vqRtB45EZtf4WDSTBHPeYao

ImPWqwUUIVWMQLyMbUab7tmspvNCcT8=

HF7jKjbGox2SAffTPw==

yAM3mOQot5l+cD0ikR5MGp8=

UYzW0/8z70JcQenVLidu1kLPeYao

OoCznp5UWz+hT9OBFXbfVhXPeYao

Targets

    • Target

      ORDER CONFIRMATION_AP65425652_032421.exe

    • Size

      315KB

    • MD5

      3e1ecb39e6a09031473e9583cceb9d53

    • SHA1

      6b5882fc292ba34c38e67d322abdc09492d64ed9

    • SHA256

      7f53bd1ec3c75fe6f9c52cb4d1d443cf04ccb43f16faa8bd6ffbdd8b465b049f

    • SHA512

      a0fc051979b6a962a5591417a98630f670949f0b42316640c4ff41cb1ce13a9b154ad61bf77c77e0c1e2735459e1bc12b848382a4630ffa564fa4ac202372acf

    • SSDEEP

      6144:obE/HUGMJJpXPV/Wwv/SG1zV5poES6rMK0DGnDkKy1ZpXMSC5rwTCAw2C:obJzPt/nFlV/oESn+c1ZpXMSC5rXV2C

    Score
    10/10
    formbookxloadernrlnloaderratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks