General

  • Target

    Finalised With Changes.docx

  • Size

    10KB

  • Sample

    210615-8sl29valc6

  • MD5

    6c09cfa2a148680caa675b37cc908d92

  • SHA1

    e56e4c7405c2debb2f8e4f572e5ac50bb5999f3b

  • SHA256

    012cca592dca94980a85020ffbddc96dd1bafc547d577d58f853d39e3c20d125

  • SHA512

    cd8af3833888cb612d902716afc27aecbb6cc97c9cee0ae6eae18bda78571e573c90a77bd22524022fc851166b0cbb7015971c9f17d4dcd6c7047559625060b9

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

https://dummy_username@itsssl.com/uUWXb

Extracted

Family

xloader

Version

2.3

C2

http://www.etnttcil.com/usur/

Decoy

purpopup.com

mrswarrenspodcast.com

blinbins.com

parahomeoffice.com

20next.com

quiala.com

newccosecurity.net

throughthehagstone.com

hnxslawfirm.com

sztoium.icu

fullembodiedwoman.com

sankara-yoga.com

foottrafficcollective.com

acruxvacations.com

jadeena.com

neurotypicalspouse.com

onlyinwallkill.com

laurenkilbane.com

thebendavonte.com

regencydevelopmentstoronto.com

Targets

    • Target

      Finalised With Changes.docx

    • Size

      10KB

    • MD5

      6c09cfa2a148680caa675b37cc908d92

    • SHA1

      e56e4c7405c2debb2f8e4f572e5ac50bb5999f3b

    • SHA256

      012cca592dca94980a85020ffbddc96dd1bafc547d577d58f853d39e3c20d125

    • SHA512

      cd8af3833888cb612d902716afc27aecbb6cc97c9cee0ae6eae18bda78571e573c90a77bd22524022fc851166b0cbb7015971c9f17d4dcd6c7047559625060b9

    Score
    10/10
    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks