Overview

overview

10

Static

static

Statement ...t.xlsx

windows7_x64

10

Statement ...t.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Statement of Account.xlsx

  • Size

    2.2MB

  • Sample

    210408-7lyg8bdj6x

  • MD5

    ed576e8ae0b80c8f5310e0d6e0c7ebd9

  • SHA1

    20ec3e99d7ab3162929b15fe33a3e0d2aa2239f7

  • SHA256

    3ca5de16b0d1621f2b046b1e107f78ce5998d79120a906c045e2e606b8d8c85a

  • SHA512

    61d436b8893e5389287a17ba937e06c65de2bf47f2e42cf813cdc53ff2bf6f118ac47b8086544037bceb8a922a7f461e57aa4b8710f6e9299237b9f4899131c1

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.okitmall.com/iu4d/

Decoy

abbottdigitalhealthpass.com

peridot.website

emmajanetracy.com

arewedoingenough.com

mvprunning.com

xn--939au40bijas7ab2a93s.com

thehouseofchiron.com

sqzffn.com

moretuantired.com

rosewoodcibubur.com

warungjitu.com

armylord.net

rideequihome.com

girasol.zone

getboostphlo.com

bilradioplaza.com

japannxt.com

figulco.com

insershop.com

loktantratvnews.com

Targets

    • Target

      Statement of Account.xlsx

    • Size

      2.2MB

    • MD5

      ed576e8ae0b80c8f5310e0d6e0c7ebd9

    • SHA1

      20ec3e99d7ab3162929b15fe33a3e0d2aa2239f7

    • SHA256

      3ca5de16b0d1621f2b046b1e107f78ce5998d79120a906c045e2e606b8d8c85a

    • SHA512

      61d436b8893e5389287a17ba937e06c65de2bf47f2e42cf813cdc53ff2bf6f118ac47b8086544037bceb8a922a7f461e57aa4b8710f6e9299237b9f4899131c1

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks