Overview

overview

10

Static

static

Payment.xlsx

windows7_x64

10

Payment.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Payment.xlsx

  • Size

    1.9MB

  • Sample

    210505-1bzb6cg49s

  • MD5

    3812fac8cd9bd9459499c7888db6ec01

  • SHA1

    b86b7eec3bf457494c4c091011c681ea28a57c2e

  • SHA256

    d77edf575af32f39c003ccc192ba10259ccb94bd9a5e791b4cd56605fe1bde1d

  • SHA512

    5453a1f8c870340215b488dcf95e812765de22d3c4f566c387aa2f64998d08467c19522b6ea0fa19567cac022ac5a7ededdef300481967f26fa7457bb6127f42

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.cats16.com/8u3b/

Decoy

pipienta.com

wisdomfest.net

jenniferreich.com

bigcanoehomesforless.com

kayandbernard.com

offerbuildingsecrets.com

benleefoto.com

contactlesssoftware.tech

statenislandplumbing.info

lifestylemedicineservices.com

blazerplanning.com

fnatic-skins.club

effectivemarketinginc.com

babyshopit.com

2000deal.com

k12paymentcemter.com

spwakd.com

lesreponses.com

abundando.com

hawkspremierfhc.com

Targets

    • Target

      Payment.xlsx

    • Size

      1.9MB

    • MD5

      3812fac8cd9bd9459499c7888db6ec01

    • SHA1

      b86b7eec3bf457494c4c091011c681ea28a57c2e

    • SHA256

      d77edf575af32f39c003ccc192ba10259ccb94bd9a5e791b4cd56605fe1bde1d

    • SHA512

      5453a1f8c870340215b488dcf95e812765de22d3c4f566c387aa2f64998d08467c19522b6ea0fa19567cac022ac5a7ededdef300481967f26fa7457bb6127f42

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks