Overview

overview

10

Static

static

8

Machine Sp...s.xlsm

windows7_x64

10

Machine Sp...s.xlsm

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Machine Specifications.xlsm

  • Size

    148KB

  • Sample

    210309-3mjgem93ya

  • MD5

    9ce6349baf1276836ea9764233aa09ae

  • SHA1

    0d5349b1e57866a0111d6ec731d21e9cf151a6dd

  • SHA256

    bdad87cc1c4683be3d1a173ac533eb8322ab725e055535c3288b33ac64373ea6

  • SHA512

    b88b6946764199c0c33a02fb02a35d96dea5c30ad01d70b0afdbacd5bae7198ef9ee5722b35cba562daae7ac6c813358082f6fd4c85ee2c2e66b7d6452c29618

Score
10/10
xloaderloadermacropersistencerat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://transfer.sh/get/D8sXG/text.exe

Extracted

Family

xloader

C2

http://www.dubainights.net/rrrq/

Decoy

sdlcutps.com

novieffendi.com

highpointedu.com

sagaming.today

charlottesteer.com

kilopapa.net

prime-executive.com

8893270.com

gorillaikka.com

coynesgastropub.com

sun9376.xyz

coolkilo.com

1clickdoc.online

fosa.info

smileburgerdelivery.com

ronpaulmessge17.com

sqwigs.com

xn--c1ajbkdnb9b0g.xn--p1acf

gelzers.info

banpluspay.com

Targets

    • Target

      Machine Specifications.xlsm

    • Size

      148KB

    • MD5

      9ce6349baf1276836ea9764233aa09ae

    • SHA1

      0d5349b1e57866a0111d6ec731d21e9cf151a6dd

    • SHA256

      bdad87cc1c4683be3d1a173ac533eb8322ab725e055535c3288b33ac64373ea6

    • SHA512

      b88b6946764199c0c33a02fb02a35d96dea5c30ad01d70b0afdbacd5bae7198ef9ee5722b35cba562daae7ac6c813358082f6fd4c85ee2c2e66b7d6452c29618

    Score
    10/10
    xloaderloaderpersistencerat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks