Overview

overview

10

Static

static

10

12.docx

windows7_x64

10

12.docx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    12.docx

  • Size

    10KB

  • Sample

    210420-7ygmy1v9da

  • MD5

    82e1fb826c9e003297b9fd6a6a6ccc47

  • SHA1

    c3e9cbec88cf6cce927af482bb909d33caee6693

  • SHA256

    a151fff315abbea8d1eab7c0ceec119f6617d8963cedf50a7f5490019f39d491

  • SHA512

    5be153ba0885b56336292faa636ea7ce2bf4d1fc2d18099c617c8284354206f821117890f8843678087a0840b4cd5c407dfc66107a376a39b4c7e8be8656c67a

Score
10/10
xloaderloaderratwebsettings

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://23.95.122.25/.-...............................................................................................-/........dot

Extracted

Family

xloader

Version

2.3

C2

http://www.batiktintaemas.com/goei/

Decoy

bet365o2.com

gulf-landlord.info

foodsystemsjusticeproject.com

ronwongart.com

fwgkdhg.icu

armanrugservice.com

mapadequito.com

vbkulkarni.com

ltsbinge.com

creativem2.com

mindflexlab.com

ushealthvisa.com

247carkeyslondon.com

addthat.xyz

zanzan8.com

legendsalliance.net

shopflyonline.com

csgo-roll.net

reutbergcapital.com

mediaworkhouse.com

Targets

    • Target

      12.docx

    • Size

      10KB

    • MD5

      82e1fb826c9e003297b9fd6a6a6ccc47

    • SHA1

      c3e9cbec88cf6cce927af482bb909d33caee6693

    • SHA256

      a151fff315abbea8d1eab7c0ceec119f6617d8963cedf50a7f5490019f39d491

    • SHA512

      5be153ba0885b56336292faa636ea7ce2bf4d1fc2d18099c617c8284354206f821117890f8843678087a0840b4cd5c407dfc66107a376a39b4c7e8be8656c67a

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks