General

  • Target

    5d2be550db7b54a3bb218ccc00904299863d2acc71095fc28d470488b0f1aca0

  • Size

    194KB

  • Sample

    241121-zrqe9sxpat

  • MD5

    9dc0365f7e8d437f9d85797c02e65370

  • SHA1

    4a78a78b00f5e5054051ed5e582d7fdb639d96c8

  • SHA256

    5d2be550db7b54a3bb218ccc00904299863d2acc71095fc28d470488b0f1aca0

  • SHA512

    095642c3e10a9b1251c83102110d814db7914f740a86b1bea74e5a817af2ff582215a2223d951cf193f9c870e947a89567f70bfe01a88eb3828749c98aabcfa1

  • SSDEEP

    3072:oWAObH4JhkLh/jdD8GDmh2MCGki7LpAzg6AZowGc+d6QLNWUFo8Sf/9b6mdrX:ppShk5jdwGKh2MPfUgX7ZQLzkBrX

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pzi0

Decoy

laylmodest.com

woruke.club

metaverseslots.net

syscogent.net

aluxxenterprise.com

lm-solar.com

lightempirestore.com

witcheboutique.com

hometech-bosch.xyz

expert-netcad.com

poteconomist.com

mycousinsfriend.biz

shineveranda.com

collegedictionary.cloud

zqlidexx.com

businessesopportunity.com

2utalahs4.com

participatetn.info

dare2ownit.com

varser.com

Targets

    • Target

      d2d96154024ca3137cd2e84d367053ea8e0de0459a781356577a3ba775c1fb8e

    • Size

      354KB

    • MD5

      4e5cc8fddecae16e747e6b1a48b31cd5

    • SHA1

      9195d4069bc82b38261bb9ec58333921e7164eac

    • SHA256

      d2d96154024ca3137cd2e84d367053ea8e0de0459a781356577a3ba775c1fb8e

    • SHA512

      fa27ad2184bc22d0d7784e1ecffd049266c43b196635373e73280d71e244061687113143361e8466f29f489259afd0b18e8c50ffb37007cc199fea0e28475ad1

    • SSDEEP

      6144:MFy6iTj2GQabp6O5GiyPXg6FRC5epPNmyJn6kiMJ+ME5fSKO37S:MFy6NagigXg6FR7NmyJGMfExSPG

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Vjw0rm family

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader family

    • Xloader payload

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks