Overview

overview

10

Static

static

3

19979.exe

windows7-x64

10

19979.exe

windows10-2004-x64

10

Factura_855.pdf.exe

windows7-x64

10

Factura_855.pdf.exe

windows10-2004-x64

7

qfmjhb.exe

windows7-x64

3

qfmjhb.exe

windows10-2004-x64

3

Fattura_855.pdf.exe

windows7-x64

10

Fattura_855.pdf.exe

windows10-2004-x64

7

gocbcx.exe

windows7-x64

3

gocbcx.exe

windows10-2004-x64

3

IoC/MIL000...0.xlsm

windows7-x64

3

IoC/MIL000...0.xlsm

windows10-2004-x64

1

IoC/PO.xlsx

windows7-x64

8

IoC/PO.xlsx

windows10-2004-x64

1

PO_2022-04-33981.exe

windows7-x64

3

PO_2022-04-33981.exe

windows10-2004-x64

10

IoC/Pagamento.xlsx

windows7-x64

8

IoC/Pagamento.xlsx

windows10-2004-x64

1

IoC/SHIPPI...TS.rtf

windows7-x64

8

IoC/SHIPPI...TS.rtf

windows10-2004-x64

3

SMK_29082022.exe

windows7-x64

10

SMK_29082022.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    13af3ad92eb86c2c95c816ac526b97c78e0aaed46535c61bf363d768bb2cb0c9

  • Size

    5.4MB

  • Sample

    241121-yvb7da1jdp

  • MD5

    f2d05d9992533275a7c42b6bc872a9da

  • SHA1

    567be5eeafde8b270928ed0d254a5331de5d8970

  • SHA256

    13af3ad92eb86c2c95c816ac526b97c78e0aaed46535c61bf363d768bb2cb0c9

  • SHA512

    10131839c5aaadc7898778510e422c3ec9dc329fda621a4d47603c4b7218bc6e40aa831238aee7ddf044bc04d0dc0dbd8a4298ef67eb2573229154dc9e4ba5de

  • SSDEEP

    98304:JQFJ2L2CvcY7TWNzDC1ya1gigYC2b9VIJE/y4T4l5jPH+tXJNo5mx:IJ2LLUY7aJChgig4VID48lZNG

Score
10/10
formbookguloaderredlinesectopratxloaderchinchongm0r9nd04discoverydownloaderevasionexecutioninfostealerloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nd04

Decoy

picsedits.com

ceinpsico.com

151motors.com

rollingstrollers.com

yonghengwenhua.store

thesortinghouse3j.com

piboise.com

xgdfjm.com

icloud-verify.com

exeterloftrefurbishments.com

kascae.biz

mujeresimparablesterramar.com

samsungcorporate.com

journee2sobriety.com

quanqiu00000.com

gigharborapartment.com

spacdesignerhomes.online

alcantaraleiloes.com

gibbsrecordingco.com

aftermarketbiz.com

Extracted

Family

redline

Botnet

chinchong

C2

23.94.54.224:6325

Extracted

Family

formbook

Version

4.1

Campaign

m0r9

Decoy

neekoluldao.com

pandolam.com

homestore.website

inthemoart.com

plubmingcny.com

tsandjsdjproductions.com

bangkok-bars.com

theroganexperience.com

cisneros.media

cxaerfa.xyz

dalafea.online

eppsallen.com

kksm1.com

navega.site

coloradonews.info

rnhues3j.xyz

languageslibrary.com

metapharmacyphuket.net

invisiblelady.com

suculentaycactaceo3d.com

Targets

    • Target

      19979.bat

    • Size

      630KB

    • MD5

      1c41d0198adc92df0a83e60c27c76c78

    • SHA1

      689aa46c42c440b86e7a11a18bca0c4c6afd9c0e

    • SHA256

      6ff40b2ed84520e3135881c7a31a49f2a0952e1ed7a9739527b1619bcb6ec8f8

    • SHA512

      f2e562a2d7f916587f5ac71efe34ad431ae45632080d7e9f3cd3108f7b5afd23fb473b3bda3577eaa4b0570c4a8969c124398da0997a6a04597c3396137924c5

    • SSDEEP

      12288:xnZHHEPo3PUuUSc6AdkuqV3wuEW2ypRxRWj:xZnEPonoawe2yVRS

    Score
    10/10
    xloadernd04discoveryloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader family

      xloader

    • Xloader payload

      rat

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Factura_855.pdf.exe

    • Size

      214KB

    • MD5

      fbcc50e49a03f6b2469352851fcc0800

    • SHA1

      63f99919354e58010819251556f5ace361b7c390

    • SHA256

      498cbaa02846904c60c9a349f49bc72a046d1cd686d858286f33cfcf39716215

    • SHA512

      d7080f1d75a1f88d56d24da1f8d132625236a6057f5d0571bcac387afa27c2a294983d3df952bea8592812415d4210f4136f5a367b4cf81883e3d487c580b7f7

    • SSDEEP

      6144:HNeZmOQDVfP9e6oAzSI/2Cou2L2YlOPrYbihN:HNlOQZP9e6RzS5c2LZcUU

    Score
    10/10
    formbookm0r9discoveryratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook family

      formbook

    • Formbook payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      qfmjhb.exe

    • Size

      5KB

    • MD5

      d93c0902c13f3f17012c2778fd24b009

    • SHA1

      7ad3d53210ce587d2195545115c9086457a14623

    • SHA256

      0487ed5d2a046ee552e410b5c9b3cf27eb0c3b369fecff3132c58e57eb1c0ad8

    • SHA512

      4cb2d5beb7ed5532819bd96c92000c9e12f145d37cdd2ad4dec3f67ce74107c4a00fb850700015168ef6c2620277c237de3a2c279a99150ed46a3d0b5905fc3a

    • SSDEEP

      96:jYRTsfPD1niVZnEQ1TfHP97HzJcpLLWPOoyn:jYRIPDwVF15fV79qLSPOoyn

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      Fattura_855.pdf.exe

    • Size

      240KB

    • MD5

      068b6fd352736535c7d967673914c66a

    • SHA1

      ae5b7ac0e73123f5b2b31e9a3b1061c9985e70bf

    • SHA256

      df52a26061f50bed16f94038cfedb42e1b492b9ce865daabd7ce15db4db9b8a3

    • SHA512

      0b3eff80a6cba89895c554206bb64246bc090a04015eae579e9624f71a72e750fa0d9c352f1922731698223444b1b583c3aa075fc67fb00c32f6fe19b8bb585f

    • SSDEEP

      6144:HNeZm//7la+u61CkduDVUWurQZt1czVpwS:HNl/zlnNCyAUW1KgS

    Score
    10/10
    formbookm0r9discoveryratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook family

      formbook

    • Formbook payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      gocbcx.exe

    • Size

      64KB

    • MD5

      6c310e309e2ddfe8ae53e95c525c9e52

    • SHA1

      694861bf8fbddafc5673853c8f7c910a2b60a1b7

    • SHA256

      ffef20b2c9b8d9cdd4f471718ef688a8bd4834b6481978574b877ab14a91228d

    • SHA512

      8030a4b7d8d225699d4c9d71cf015dbb90895266e9006c5fee1ba9ce56ac871f1f9477ee4ccf6c62109ef23f0321d9590a3b286156d5b57e30bbe2f9d302a931

    • SSDEEP

      768:klHfloloDRGOt3qLVEw2b61rKnuvQ7n0jnbawiBDNKtc8WhsWjcdhDjC+9Vv:CB1qL6zbtwQ7qegc8EsWjcdhDz

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      IoC/MIL0000640730.xlsm

    • Size

      34KB

    • MD5

      d40bfad72dd13a14ed745827ba2a40fc

    • SHA1

      d5cd2e93fb8330f6830b03d389ee328696367f00

    • SHA256

      b3611898ab09f4bc4cee71dd84e14cbe2e1262ab6b2147ac2a4a2578f815f531

    • SHA512

      faeb08dab7101b3294b8a7b7f1b1f3aff90076a20bea12b1d140ee3a4df4889e540f77b3d8f469aa2b147ea05509f73290a7cae0c7187ab6eac52832ff28ec2f

    • SSDEEP

      768:YgupkvdLmA9500CpLtzBCHH3G/WGwKaDyu71tzQ:YgFtd50vLfG7H1tM

    Score
    3/10
    discovery
    behavioral11behavioral12

    • Target

      IoC/PO.xlsx

    • Size

      673KB

    • MD5

      916e97845046785cd1cecd13eb9066cb

    • SHA1

      10482433036f11039984f19c754bb75118fee761

    • SHA256

      4746681c92d6308c66e76d7ffc022d7fd91b91e364c3909875555dc13c13f28f

    • SHA512

      9e9b992540e71970b3f64195e34bcbb4447f2dee690aea11a8ae4636a69e9ad16c27f43a927b5cd8b1178b9201dd460569882ee7ddf192fdb45cc3edcc8e38be

    • SSDEEP

      12288:4HukDNlkQ4jffozcmljqcp25wqI/FMhVRCByJb0vpFP2srFVc7B2YCeNtRi5:Kv4j7TWQwqwF4IFb/c7BaUi5

    Score
    8/10
    discovery

    • Blocklisted process makes network request

    behavioral13behavioral14

    • Target

      PO_2022-04-33981.exe

    • Size

      924KB

    • MD5

      0e9db60ad1bf774e9cee7b52cc145b4e

    • SHA1

      322187dd46fc28a2727faac47b1efea50505a89a

    • SHA256

      af573246f95b5eab9ae520005e00fd4e3f35e3488b2681e1a196d3e24eeb8c02

    • SHA512

      a263b3bd59e70553a1b1c796a1faed85d8483dcca9f62c8f4b124e5263d240b6df9040a00da80d9752e58324d844ccd3ff8dbe41c24e57b9050e4ebf80f5e430

    • SSDEEP

      12288:MbuvIyfL/alfmZlbbrekq/iI7hq/TUqzi9/k7a4sAMiAKUCPSQ/Dk7leWpLklyA4:MFcLhpex/iUqzuIaXbilBPvbk7hAlWp

    Score
    10/10
    discoveryredlinesectopratchinchongevasionexecutioninfostealerpersistencerattrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Windows security bypass

      evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      IoC/Pagamento.xlsx

    • Size

      673KB

    • MD5

      b6f59978c11f425ebb5183d59727c312

    • SHA1

      bb13cb76b17f1902e0f85bc5b6110cdb7396572f

    • SHA256

      f65a02f6a1fa903c6ea78cf264fb7007309b7e4b426a6db94ce2bb9e0a43fb5f

    • SHA512

      533b65c105b985f5037e32b0a7ba9d192877a14a0fd22b9a0b6294a5e1a6f29e04b4a90af481a310ef999d5ca239a0d010c8cd0d36dd1fc8237a2667577729a6

    • SSDEEP

      12288:keudkZeF2+hBDNY3rZ0jCJHETmBPQfE8ZJpqR6K+U2DChL3Ve0BJST4YVwo//GRy:gaZeYqDNY32jiBQfbJG6Y2WhL33I4YV3

    Score
    8/10
    discovery

    • Blocklisted process makes network request

    behavioral17behavioral18

    • Target

      IoC/SHIPPING DOCUMENTS.doc

    • Size

      11KB

    • MD5

      8b6a21c29f22e0464ee95317bd985eed

    • SHA1

      04a9b89d89e22dbebb71c8342bdfd590d13c0ff7

    • SHA256

      2bdc496ee0f65d05fb5b38dcfc25abaf3eb19b8922884156eea0cf8880c2b8d4

    • SHA512

      c1cb18d0f035effe511bc9f20bb8582eb327e4b59130c9ddf7ec3743f1226838e634f9d63248807bfbbdb547b9c5b700a21244deff1f30bb814a5e44f2c7088c

    • SSDEEP

      192:Fmn9kNkpUArVBpLF2jz0A+ko38iJznbYFLFSodbH70byIYy:FmeNkpUghkB+ko38C6LFSoybyIYy

    Score
    8/10
    discovery

    • Blocklisted process makes network request

    behavioral19behavioral20

    • Target

      SMK_29082022.exe

    • Size

      122KB

    • MD5

      c953aa5416e760df5d8926f4f896fedd

    • SHA1

      f81842b2949597fd846158be0568d23276f6d8e3

    • SHA256

      4b08145e5bec544285f7f7d24f4a187699016bc6b33e7575dfd8a759048a30a0

    • SHA512

      44bb338ccd171202f83f54b2d5b4dae52b40e3e8a54461b8b607836c71b4d4f210c0e21dec6145b59341ca8143b07e35f86f9026113d26c187c668964e353dc4

    • SSDEEP

      3072:2fY/TU9fE9PEtu4IEOa8jDb/P4kCFYXq2N06yT3:gYa6Paa/P4kCF6Lbo

    Score
    10/10
    guloaderdiscoverydownloader

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral21behavioral22

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      cff85c549d536f651d4fb8387f1976f2

    • SHA1

      d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    • SHA256

      8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    • SHA512

      531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

    • SSDEEP

      192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr

    Score
    3/10
    discovery
    behavioral23behavioral24

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

xloadernd04discoveryloaderrat
Score
10/10

behavioral2

xloadernd04discoveryloaderrat
Score
10/10

behavioral3

formbookm0r9discoveryratspywarestealertrojan
Score
10/10

behavioral4

discovery
Score
7/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

formbookm0r9discoveryratspywarestealertrojan
Score
10/10

behavioral8

discovery
Score
7/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

Score
1/10

behavioral13

discovery
Score
8/10

behavioral14

Score
1/10

behavioral15

discovery
Score
3/10

behavioral16

redlinesectopratchinchongdiscoveryevasionexecutioninfostealerpersistencerattrojan
Score
10/10

behavioral17

discovery
Score
8/10

behavioral18

Score
1/10

behavioral19

discovery
Score
8/10

behavioral20

discovery
Score
3/10

behavioral21

guloaderdiscoverydownloader
Score
10/10

behavioral22

guloaderdiscoverydownloader
Score
10/10

behavioral23

discovery
Score
3/10

behavioral24

discovery
Score
3/10