General

  • Target

    COAU7229898130.xlsx

  • Size

    2.5MB

  • Sample

    210305-qgdk85s8hn

  • MD5

    a3292b86bcd4841e80f76ba7f198092a

  • SHA1

    be33b9d9895cdb2c2cec310a9915bac27dfe8ec1

  • SHA256

    2f3d395aa18539ff6e1a6046de332d246375ceec143cdc37b5122ab09dad4531

  • SHA512

    d04d1e676d4a22a99a98e05fbcfb21b33b2b1b4640be970ee4a4170c8ebce9b217cc3b1621489b012eef8e2c9c338ef8b6703163dd68a729fb6f7789b8e52136

Score
10/10

Malware Config

Extracted

Family

xloader

C2

http://www.fountainhead410.com/jzvu/

Decoy

rezabird.com

amthebomb.com

cqfsc.net

scottgesslerdesign.com

australianhempco.com

digitalkn.com

theoneandonlytattoostudio.com

chaing-list.xyz

technicaljanu.com

tigerkid.net

mels.ink

adassadelacruz.com

deep-freezers.xyz

kundanbangles.com

88840678.com

xiaonaphotography.online

john-heer-stuttgart.com

gumrukihalesi.com

veekasdoshi.com

purathanam.com

Targets

    • Target

      COAU7229898130.xlsx

    • Size

      2.5MB

    • MD5

      a3292b86bcd4841e80f76ba7f198092a

    • SHA1

      be33b9d9895cdb2c2cec310a9915bac27dfe8ec1

    • SHA256

      2f3d395aa18539ff6e1a6046de332d246375ceec143cdc37b5122ab09dad4531

    • SHA512

      d04d1e676d4a22a99a98e05fbcfb21b33b2b1b4640be970ee4a4170c8ebce9b217cc3b1621489b012eef8e2c9c338ef8b6703163dd68a729fb6f7789b8e52136

    Score
    10/10
    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks