Overview

overview

10

Static

static

Purchase Order.xlsx

windows7_x64

10

Purchase Order.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Purchase Order.xlsx

  • Size

    1.1MB

  • Sample

    210721-7te9ezk8na

  • MD5

    bd74930ecc1b91cafa74e1b0268650af

  • SHA1

    be0328924f2885d5d986896b52a2463c5bbed6f0

  • SHA256

    153db12d1016932980a84bdd663e46fe92a7324383cd83d0881715f8c6436764

  • SHA512

    d24687ade48c8d400ea257b4f2ad092c149dcb69e6f904f8ae550741e411499f06b314c67f5f8a5d7e60a9f91401e8bc918d533422f34fa613a5caa8a7c73d72

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.partypacktv.net/a3ea/

Decoy

yvsgge.com

shooter2.com

ugcfashion.com

deltaefficiencies.com

raidertomb.com

atiempoconguadalupe.com

whmmhh.com

hangar360aircraft.com

toughcookiemasks.store

blindowlch.com

yipo.info

mindsomamove.com

theresalobstahlike.com

nova-select.com

socetegen.com

platinaman.com

datsu-nihon.com

jumpstartinggenius.com

slxplay.com

rightwaysdecor.com

Targets

    • Target

      Purchase Order.xlsx

    • Size

      1.1MB

    • MD5

      bd74930ecc1b91cafa74e1b0268650af

    • SHA1

      be0328924f2885d5d986896b52a2463c5bbed6f0

    • SHA256

      153db12d1016932980a84bdd663e46fe92a7324383cd83d0881715f8c6436764

    • SHA512

      d24687ade48c8d400ea257b4f2ad092c149dcb69e6f904f8ae550741e411499f06b314c67f5f8a5d7e60a9f91401e8bc918d533422f34fa613a5caa8a7c73d72

    Score
    10/10
    xloaderloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks