Overview

overview

10

Static

static

10

payment-00...5.docx

windows7_x64

10

payment-00...5.docx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    payment-000598635.docx

  • Size

    10KB

  • Sample

    210504-2thsf3zeka

  • MD5

    5c73df1769f5842ee5810e849f76479c

  • SHA1

    72282281170957eebefe050b767e9d25b0263ca9

  • SHA256

    7ee841fa5f82f3b229064a75f3454d595899132f93a5d77045cd4786d03615de

  • SHA512

    67471217d91696acc7bd0a1245606f35ebb76df8f09dc17aaef854971df059b76abb6a8c4134ea7e7003dcdf3a3ba5657d3d645f4029e7c1bb18900adbc4e893

Score
10/10
xloaderloaderratwebsettings

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

https://is.gd/2x73Dx

Extracted

Family

xloader

Version

2.3

C2

http://www.apluspro.online/bgnq/

Decoy

customsclearingagents.com

vsemasteraokon.online

seeheresthething.com

chozamtravel.com

cjkustom.com

djeffexla.com

survivingks.com

rokascapitalmanagement.net

tekdesignlimited.com

1499parkave.com

fontanerosboadilla.com

jesusencounterminisries.com

uouhodler.com

cordstraw.com

dab50074.com

sarahleinartstore.com

inawinnebago.com

wassersportzentrum.online

giselabustamante.com

gulaturun.com

Targets

    • Target

      payment-000598635.docx

    • Size

      10KB

    • MD5

      5c73df1769f5842ee5810e849f76479c

    • SHA1

      72282281170957eebefe050b767e9d25b0263ca9

    • SHA256

      7ee841fa5f82f3b229064a75f3454d595899132f93a5d77045cd4786d03615de

    • SHA512

      67471217d91696acc7bd0a1245606f35ebb76df8f09dc17aaef854971df059b76abb6a8c4134ea7e7003dcdf3a3ba5657d3d645f4029e7c1bb18900adbc4e893

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks