General

  • Target

    RFQ_ V-21-Kiel-050-D02.xlsx

  • Size

    2.3MB

  • Sample

    210408-kjh2ggfb5a

  • MD5

    051054b344afd533b44a9ba0fccfb513

  • SHA1

    49b9e0447b933f40359f4794669c9f4d6b91b3f0

  • SHA256

    5d8e95dcf9a291d1a3fe76875eac502899147aa4f86715c5db2fbbe8354ac262

  • SHA512

    6598a3647b3e7aa8e3515c68eabdb2d84c3500e2df84be2f0fd37a2d83c7cb6f6d1d38fa9f9e6353b7034f271bce307e9f9042b3eab464f4d31737bf85c5ce63

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.856380692.xyz/nsag/

Decoy

usopencoverage.com

5bo5j.com

deliveryourvote.com

bestbuycarpethd.com

worldsourcecloud.com

glowtheblog.com

translations.tools

ithacapella.com

machinerysubway.com

aashlokhospitals.com

athara-kiano.com

anabittencourt.com

hakimkhawatmi.com

fashionwatchesstore.com

krishnagiri.info

tencenttexts.com

kodairo.com

ouitum.club

robertbeauford.net

polling.asia

Targets

    • Target

      RFQ_ V-21-Kiel-050-D02.xlsx

    • Size

      2.3MB

    • MD5

      051054b344afd533b44a9ba0fccfb513

    • SHA1

      49b9e0447b933f40359f4794669c9f4d6b91b3f0

    • SHA256

      5d8e95dcf9a291d1a3fe76875eac502899147aa4f86715c5db2fbbe8354ac262

    • SHA512

      6598a3647b3e7aa8e3515c68eabdb2d84c3500e2df84be2f0fd37a2d83c7cb6f6d1d38fa9f9e6353b7034f271bce307e9f9042b3eab464f4d31737bf85c5ce63

    Score
    10/10
    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks