General

  • Target

    z1Xkptgkzbdmjptt.exe

  • Size

    841KB

  • Sample

    230516-nh98jaae44

  • MD5

    1ba791c7a5b6862922b4748e6193ecd9

  • SHA1

    dbeab14ef5a7d6d869f1df053e1efb9244e2e9b1

  • SHA256

    7c85f1aa39a1a12e2e1bf9d3b4b9f56e76304ce8efd332373f8404897b157a5a

  • SHA512

    328491e87cb149feb1e4787e7db57534539f0ac304ae4fb8380823953a13cce1560991d4ec3c1032cdc55eb1e192b0acbf40b9828a150fc0632d430734463c56

  • SSDEEP

    12288:IEaSIJxsS4ISFSs417nXbaGBazVb8N0K1WqN:/F0mcSFS77LaG6VIEg

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Targets

    • Target

      z1Xkptgkzbdmjptt.exe

    • Size

      841KB

    • MD5

      1ba791c7a5b6862922b4748e6193ecd9

    • SHA1

      dbeab14ef5a7d6d869f1df053e1efb9244e2e9b1

    • SHA256

      7c85f1aa39a1a12e2e1bf9d3b4b9f56e76304ce8efd332373f8404897b157a5a

    • SHA512

      328491e87cb149feb1e4787e7db57534539f0ac304ae4fb8380823953a13cce1560991d4ec3c1032cdc55eb1e192b0acbf40b9828a150fc0632d430734463c56

    • SSDEEP

      12288:IEaSIJxsS4ISFSs417nXbaGBazVb8N0K1WqN:/F0mcSFS77LaG6VIEg

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • ModiLoader Second Stage

    • Xloader payload

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks