Overview

overview

10

Static

static

PRC-20-518...L.xlsx

windows7_x64

10

PRC-20-518...L.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PRC-20-518 ORIGINAL.xlsx

  • Size

    2.3MB

  • Sample

    210408-phxx1axlqx

  • MD5

    c80ada6775e717cdd47af7b4fda60728

  • SHA1

    c6e714a491490359f48fbb35fba4b0ec00e60d5a

  • SHA256

    ef838475e670d8af60da44f03fb314461f97070e67bade2b89e52e6e59c4054a

  • SHA512

    e3042a0b487c210a1d68d653b65131a22bcf5dbcb75fe41d6b2399cc1a829befa8c28e2843903947b92018bde5593468dd0fac810e1cd0f686d2d22a58b9fc8e

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.frontierglasseastaurora.com/g050/

Decoy

threephotonics.com

ancientalgorithms.com

macroissance.com

baldhousemusic.com

intotechsolutions.com

mitklassik.com

mybadnews.com

westport-quayside.com

hospitalscales.net

automatedplatforms.com

simplepartyplanningcourse.com

zuluforest.com

jflindsey.com

xamap.club

businesslaunchbox.net

higashiyamajin.xyz

solutionsolvegh.com

vtolvertiportservices.com

customroofunderlayment.com

conflictcyber.com

Targets

    • Target

      PRC-20-518 ORIGINAL.xlsx

    • Size

      2.3MB

    • MD5

      c80ada6775e717cdd47af7b4fda60728

    • SHA1

      c6e714a491490359f48fbb35fba4b0ec00e60d5a

    • SHA256

      ef838475e670d8af60da44f03fb314461f97070e67bade2b89e52e6e59c4054a

    • SHA512

      e3042a0b487c210a1d68d653b65131a22bcf5dbcb75fe41d6b2399cc1a829befa8c28e2843903947b92018bde5593468dd0fac810e1cd0f686d2d22a58b9fc8e

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks