DHL Shipping doc & Shipment tracking details.docx

General
Target

DHL Shipping doc & Shipment tracking details.docx

Size

10KB

Sample

210408-9h7wsybb7e

Score
10 /10
MD5

30909a9932c77fb923a96b1b090b4806

SHA1

2bbe988290a47de63763796db6a39de0e268a5cf

SHA256

23e650ad3f02ea9f4a402bf5e719d745b7c307c34fd8915045c79d51aab48741

SHA512

3a42c4e4384bed6fe50d3ac3cc02d65108b315ae899abea355792d2f1063be415d80aa1786bac9053a5b7a5f622491fcc5e53cb8c222c252a430b9af0c034836

Malware Config

Extracted

Rule Microsoft Office WebSettings Relationship
C2

http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/................................................................................dot

Extracted

Family xloader
Version 2.3
C2

http://www.scott-re.online/nnmd/

Decoy

bongwater.life

regalparkllc.com

gyanankuram.com

quehaydecenarhoy.com

israeldigitalblog.net

gatewaygaurdians.com

krphp.com

domentemenegi47.com

fjsibao.com

yetbor.com

goldenvalueable.com

finalexam-thegame.com

buyeverythingforbaby.com

phillydroneservices.com

xn--kck4cd0r.net

suns-brothers.com

xn--80aaxkmix.xn--p1acf

pjsgsc.com

7985699.com

blackmantech.fitness

acernoxsas.com

verochfotografa.com

az-pcp.com

clonegrandma.com

elpis-catering.com

gujaratmba.com

samanthataylordesigns.com

sinisviaggi.com

likehowto.com

ueoxx.com

americanscreentest.com

taniakarina.com

nevomo.group

syduit.com

elticrecruit.com

xn--v1bmo9dufsb.com

valid8.network

vt999app.net

privateselights.com

xpddwrfj.icu

mex33.info

ekolucky.com

v6b9.com

winnijermaynezigmund.site

papofabri.com

ranguanglian.club

vinegret.com

sorelaxedmassage.com

vr-club.site

raison-sociale.com

Targets
Target

DHL Shipping doc & Shipment tracking details.docx

MD5

30909a9932c77fb923a96b1b090b4806

Filesize

10KB

Score
10 /10
SHA1

2bbe988290a47de63763796db6a39de0e268a5cf

SHA256

23e650ad3f02ea9f4a402bf5e719d745b7c307c34fd8915045c79d51aab48741

SHA512

3a42c4e4384bed6fe50d3ac3cc02d65108b315ae899abea355792d2f1063be415d80aa1786bac9053a5b7a5f622491fcc5e53cb8c222c252a430b9af0c034836

Tags

Signatures

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • Xloader Payload

    Tags

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Abuses OpenXML format to download file from external location

  • Loads dropped DLL

  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    10/10

                    behavioral1

                    10/10

                    behavioral2

                    1/10