Overview

overview

10

Static

static

GLC-2021-E025(1).xlsx

windows7_x64

10

GLC-2021-E025(1).xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    GLC-2021-E025(1).xlsx

  • Size

    1.2MB

  • Sample

    210727-l3mxarvy8e

  • MD5

    0b88672aa208666b2a856b6637517d45

  • SHA1

    6a255c999480b1dc260944d0aa10eebc11cdd994

  • SHA256

    8e2417d7d83848d639c70725fc66a8d81f46bbbf936b1442fd649ff4f2885c54

  • SHA512

    879607423bcb6d80837b34268d1e798f2d9f4394aa4c576954f8a05776b46faab8f7b657a7feaeea2b9ab8e34d41c78bbd9f208572dc20646c0ae9a6192d7e93

Score
10/10
xloaderloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.allodrh.com/qmf6/

Decoy

triloxi.com

blackstogether.com

jctradingllc.com

debbieandlesa.com

badseedsco.com

tjlovers.com

creativeresourcesconsulting.com

ksmjobs.net

reginajohas.net

site123web.com

pracliphardware.com

lunchtimewithtwilyght.com

remotereel.com

spartanmu.com

porter-booking-engine.com

slouberdounces.com

certificationsarchive.com

kat420nip.com

prancegoldholdingsjewels.com

xn--botiqunbotnico-4gb1q.com

Targets

    • Target

      GLC-2021-E025(1).xlsx

    • Size

      1.2MB

    • MD5

      0b88672aa208666b2a856b6637517d45

    • SHA1

      6a255c999480b1dc260944d0aa10eebc11cdd994

    • SHA256

      8e2417d7d83848d639c70725fc66a8d81f46bbbf936b1442fd649ff4f2885c54

    • SHA512

      879607423bcb6d80837b34268d1e798f2d9f4394aa4c576954f8a05776b46faab8f7b657a7feaeea2b9ab8e34d41c78bbd9f208572dc20646c0ae9a6192d7e93

    Score
    10/10
    xloaderloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks