Overview

overview

10

Static

static

SecuriteIn...81.rtf

windows7_x64

10

SecuriteIn...81.rtf

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.Exploit.RTF-ObfsStrm.Gen.675.18581

  • Size

    267KB

  • Sample

    210304-cw1zlhczbn

  • MD5

    174339ee0b1d50af956d16c7608a787e

  • SHA1

    70f7dda70f239b16afcd1e7818075237c53abbc5

  • SHA256

    9e9f12d14bd6918e39116f6a1c8017ecf3cd93a37c760b67175c0332d429526e

  • SHA512

    f7a7c1ff8cb032582f8695cb927e1429d8b355547b67a96dfb8834fd43e8891bd6a660c70935c910ba0ee2cb1f20a8d83bc42aab04db310b85fbadab8897527a

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://bppgov.ng/gotv.exe

Extracted

Family

xloader

C2

http://www.pardsoda.com/w25t/

Decoy

nowayinlocksmith.com

bookaprovider.com

joybirder.com

decoracerrado.com

preciousmonments.com

96kixx.com

parentseducationalco-op.com

cbdandbtc.com

santanadeliciasymas.com

finecharlottehomes.com

themanibox.com

backupasia.com

buffalodetailstore.com

iprdo.com

croce-komeko.com

bluechipsgroup.company

truyencow.com

globalism.online

oicrafts.com

naturalawakeningsprograms.com

Targets

    • Target

      SecuriteInfo.com.Exploit.RTF-ObfsStrm.Gen.675.18581

    • Size

      267KB

    • MD5

      174339ee0b1d50af956d16c7608a787e

    • SHA1

      70f7dda70f239b16afcd1e7818075237c53abbc5

    • SHA256

      9e9f12d14bd6918e39116f6a1c8017ecf3cd93a37c760b67175c0332d429526e

    • SHA512

      f7a7c1ff8cb032582f8695cb927e1429d8b355547b67a96dfb8834fd43e8891bd6a660c70935c910ba0ee2cb1f20a8d83bc42aab04db310b85fbadab8897527a

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks