Overview

overview

10

Static

static

PO819938490.doc

windows7_x64

10

PO819938490.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO819938490.doc

  • Size

    1.0MB

  • Sample

    210727-b6mxd3d7ss

  • MD5

    21b9f05eadd859677d470f1eb6d961c3

  • SHA1

    de601328b24e39d14dacb60ebe53cd47cdd7adda

  • SHA256

    f4d9e5ddca3444e2062f930675c49dbd3e1a73e3936b326a8edfe7090ce16b98

  • SHA512

    54d800235dbf33d209b3c2d859afcc8613f92b3ddeb08d6c48cf19bb3fe037bdd416d26de62ea5e7f24b85d946bc946b93132000e7987ad4e4683b7e60c7cb55

Score
10/10
xloaderloaderratsuricata

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

httP://136.144.41.61/MSIuaQz91rPyszO.exe

Extracted

Family

xloader

Version

2.3

C2

http://www.arogyanlife.com/b82a/

Decoy

annguyet.net

parkwood.tech

readysetmortgage.net

betraywithdraw.com

incmagazine.xyz

dentistinpimplesaudagar.com

lianhx.com

prodrelease0827b.com

safehavenwellbeing.com

gehdeinweg.club

sondaggio123.space

prospecx.report

remediate.info

savylash.com

puppornstar.com

coaching-romand.com

boozeshops.com

team316media.com

ldgawydtl.icu

trezteez.com

Targets

    • Target

      PO819938490.doc

    • Size

      1.0MB

    • MD5

      21b9f05eadd859677d470f1eb6d961c3

    • SHA1

      de601328b24e39d14dacb60ebe53cd47cdd7adda

    • SHA256

      f4d9e5ddca3444e2062f930675c49dbd3e1a73e3936b326a8edfe7090ce16b98

    • SHA512

      54d800235dbf33d209b3c2d859afcc8613f92b3ddeb08d6c48cf19bb3fe037bdd416d26de62ea5e7f24b85d946bc946b93132000e7987ad4e4683b7e60c7cb55

    Score
    10/10
    xloaderloaderratsuricata

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks