General

  • Target

    a3afb654fc55cffc4f26fd27a7f7109de5edc5401d2c6b03241358ea69dbfcda

  • Size

    449KB

  • Sample

    230130-cnkpaaeh8t

  • MD5

    d97fa5d09cd14d1f1bf3a9733d1fcb33

  • SHA1

    fe3d711a4c093615c66514eb750aefc69af7b88a

  • SHA256

    a3afb654fc55cffc4f26fd27a7f7109de5edc5401d2c6b03241358ea69dbfcda

  • SHA512

    576ceb2a764614c6646020e9a625af6fa99a54e4402ee1d3b788ff286a1ee223709f01da150f0e6faf388236e6a46826e03792abb764d56142aa0c93f2a1baab

  • SSDEEP

    6144:GUY3nV8jvJaWR2+LNqvbcQ4je0b3wO92HxNcqNaAFcRBWafsBIco8W7bEopRzqbA:zYFmKH908W2HzazRBWBBo8EJfqiJRp3t

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

pdrq

Decoy

welchsunstar.com

mppservicesllc.com

wiresofteflon.com

brabov.xyz

compnonoch.site

yourbuilderworks.com

iamsamirahman.com

eriqoes.com

eastudio.design

skyearth-est.com

teethfitness.com

razaancreates.com

shfbfs.com

joyfulbrokekids.com

kjbolden.com

howirep.com

deedeesmainecoons.website

e-powair.com

aheatea.com

shalfey0009.xyz

Targets

    • Target

      shipping document.exe

    • Size

      602KB

    • MD5

      581f035ad9efea243aa84cb9e0a3b912

    • SHA1

      889d1a7422af067f740cb9bac339ee55847b1287

    • SHA256

      c9b8eec86e68c49ea7d93474b09385745892b0335dff80fd2a15ff682223a39c

    • SHA512

      466abdadc936eefdf33e418a04696d6f17f5533d37de29e7b51e5fe66fef6f3eb93fb7a7fff2197c220d50b10af4c44194d54460a4090e52f46d1e820ea3463c

    • SSDEEP

      12288:Zeb81BafvIK2iNq2iNq2iNq2iNGDak+UVmU7uTyotkJiHD5SS60Vw:iVf51I1I1I12/ZuTdtkJ85SD

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Looks for VirtualBox Guest Additions in registry

    • Xloader payload

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

1
T1005

Tasks