Overview

overview

10

Static

static

10

PMIS compa...e.docx

windows7_x64

10

PMIS compa...e.docx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PMIS company profile.docx

  • Size

    10KB

  • Sample

    210511-egyl2y4ya6

  • MD5

    5704dea68ffebbaecbe941b8e445fa25

  • SHA1

    0bad251b775dbfe0759ee9c533e3103484abef59

  • SHA256

    1b9e262629ba7f72093f02f22a74b0647c25171ea93e64c972ddfd1bce7bd27c

  • SHA512

    f093f9f6efe2e11c08ecd0e974ba207f56e92bf24b63b20fa9427d077df05b4fab820453748d9afc5eb15ebdc2ae8dd1d474f8afc73d84057cc71635d648a7cd

Score
10/10
xloaderloaderratwebsettings

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://bit.do/fQL9f

Extracted

Family

xloader

Version

2.3

C2

http://www.drpratimakanade.com/bucw/

Decoy

cypresscommonsmesa.com

xunzetec.com

remotelearningteaching.com

leftofcrypto.com

netoscarlocadora.com

christinahsmith.com

dentalimplantsrulerun.info

lovelutionsolutions.com

incintlservicesus.com

elktcg.com

spahnmovieranch.com

deaf-noise.xyz

shopanilora.com

mianmozx.com

brlnathletics.com

cornishway.com

landscapingdracut.com

herusageseesee.com

funimationapp.com

jflowllc.com

Targets

    • Target

      PMIS company profile.docx

    • Size

      10KB

    • MD5

      5704dea68ffebbaecbe941b8e445fa25

    • SHA1

      0bad251b775dbfe0759ee9c533e3103484abef59

    • SHA256

      1b9e262629ba7f72093f02f22a74b0647c25171ea93e64c972ddfd1bce7bd27c

    • SHA512

      f093f9f6efe2e11c08ecd0e974ba207f56e92bf24b63b20fa9427d077df05b4fab820453748d9afc5eb15ebdc2ae8dd1d474f8afc73d84057cc71635d648a7cd

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks