Overview

overview

10

Static

static

10

d801e424_b...is.doc

windows7_x64

10

d801e424_b...is.doc

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d801e424_by_Libranalysis

  • Size

    10KB

  • Sample

    210430-ajq724n2xx

  • MD5

    d801e4244d30d948a98f68d37abbaed3

  • SHA1

    0f82739fc9522c5b06f591df09755f98316fc7e4

  • SHA256

    5e918aec8ebdbc9ca2fd81f3685740d087332635e9c78cbd3616c482469054d0

  • SHA512

    187059596d5842fbf2db9ccc435964c554ffcf72b557815f39eed18ab5c37cab372e11cddae4b074744b9b97fca8e1325fb9d479330ee6a38923f14c74ef56d4

Score
10/10
xloaderloaderratwebsettings

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

https://cutt.ly/abfROoi

Extracted

Family

xloader

Version

2.3

C2

http://www.gailrichardson.com/qjnt/

Decoy

funeralinsurancetoppro.info

californiaredstate.com

xn--jpr220deud640b.com

playx.finance

siamfellow.com

tekirdagvethelp.com

forrealmodels.com

desenergie.info

whynotplus.com

graniteinaminute.com

satgurucolorlabs.com

potviper.com

racevx.xyz

thebluefishhotel.net

elletesla.com

4608capaydrive.com

buckhead-meat.com

garage-repair-near-me.com

ubique.works

markokuzmanovicpreduzetnik.com

Targets

    • Target

      d801e424_by_Libranalysis

    • Size

      10KB

    • MD5

      d801e4244d30d948a98f68d37abbaed3

    • SHA1

      0f82739fc9522c5b06f591df09755f98316fc7e4

    • SHA256

      5e918aec8ebdbc9ca2fd81f3685740d087332635e9c78cbd3616c482469054d0

    • SHA512

      187059596d5842fbf2db9ccc435964c554ffcf72b557815f39eed18ab5c37cab372e11cddae4b074744b9b97fca8e1325fb9d479330ee6a38923f14c74ef56d4

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Command-Line Interface

1
T1059

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks