General

  • Target

    2f1dfefc6a2744bf853c5eb70a3df665.docx.zip

  • Size

    7KB

  • Sample

    210614-d1azk3wrbj

  • MD5

    3325306a3e6c341de30a4038905f5945

  • SHA1

    a1fde655303040c00a863097295f1199314b6d32

  • SHA256

    96e01da5fe7172331adb93fee0fc4d383f90d2672501138aa0a1c6bec0a48282

  • SHA512

    4a77610084ab3d8eede9c58d44ce3650fa71ae7d7116a77098afce6108ee57ad6e9d3d169acb716fef589b4d411cf180f748c08a772bc17eae1c48847ddff673

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://192.3.141.131/-..........................................-......................-/.......................................wbk

Extracted

Family

xloader

Version

2.3

C2

http://www.morsowanie.com/j26a/

Decoy

reviewdrpopp.com

socaldelicious.com

juomas.com

bhcrown.com

blaxies3.com

tpcmotion.com

corporacionms.com

schwartstack.com

smw319.com

bacheasy.xyz

visitmojacar.info

xn--ycr7s7jl43p.com

motherland-foods.com

helenternet.com

santabobgroup.com

lefoyerbanquets.com

ambert2021.com

multitudo21.com

abominos.com

asesoriadtesis.com

Targets

    • Target

      2f1dfefc6a2744bf853c5eb70a3df665.docx

    • Size

      10KB

    • MD5

      8d5d15825e35f4f19f2d2ac1836c5087

    • SHA1

      09c047b6473703704805748926e226c700322593

    • SHA256

      2109c5a512a7c5f23fd4b7eb251195ac00f5d8e3798bee07927f89c5b50bc2bb

    • SHA512

      d965bba779c742fa4e0733b3cc25b13684ad301381519c1d7d85470b3df94b82883362e75d7a1c929595a2e1800c7b3fa3d56b9471269cf05c7202007118ea3d

    Score
    10/10
    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks