Overview

overview

10

Static

static

MT103-Swift Copy.xlsx

windows7_x64

10

MT103-Swift Copy.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MT103-Swift Copy.xlsx

  • Size

    595KB

  • Sample

    210902-hrc65sb36x

  • MD5

    e60e5891c5998886ad977f5b030eef82

  • SHA1

    9ba50531291eba0f3ca193848ba077b72b2ab4db

  • SHA256

    975af824a78131f0cc812dfa094bfab9d92b878f5edadcc689fa29d99e419519

  • SHA512

    d62968ebf3b1c2b255e54e66c023ebb2c59a2f151e0de48a2107e2fb2a3010702aa6a3701b6a510ccd4b18b3f0c3938229b269f0abe85a22052cfa7909854b70

Score
10/10
xloaderecuuloaderpersistenceratsuricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ecuu

C2

http://www.polaritelibrairie.com/ecuu/

Decoy

buoy8boats.com

tomrings.com

o-distribs.com

majesticgroupinc.com

tehridam.com

yzwjtoys.com

castro-online.run

aquarius-twins.com

jamesrrossfineart.com

pavarasupatthonkol.com

rivermarketdentistry.com

gyiblrjd.icu

redcountrypodcast.com

youngbrotherspharmacyga.com

betsysobiech.com

neocleanpro.com

ingpatrimoine.com

mustangsallytransportation.com

jsvfcxzn.com

krsfpjuoekcd.info

Targets

    • Target

      MT103-Swift Copy.xlsx

    • Size

      595KB

    • MD5

      e60e5891c5998886ad977f5b030eef82

    • SHA1

      9ba50531291eba0f3ca193848ba077b72b2ab4db

    • SHA256

      975af824a78131f0cc812dfa094bfab9d92b878f5edadcc689fa29d99e419519

    • SHA512

      d62968ebf3b1c2b255e54e66c023ebb2c59a2f151e0de48a2107e2fb2a3010702aa6a3701b6a510ccd4b18b3f0c3938229b269f0abe85a22052cfa7909854b70

    Score
    10/10
    xloaderecuuloaderpersistenceratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Command-Line Interface

1
T1059

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks