Overview

overview

10

Static

static

Additional...7.xlsx

windows7_x64

10

Additional...7.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Additional Order Qty 197.xlsx

  • Size

    587KB

  • Sample

    210914-ker11afda4

  • MD5

    58722230e2588518dee806fe73c6948b

  • SHA1

    dcf0f2b354c48b17ce02fbb97a503b97fa581064

  • SHA256

    6c4a9d2d18a36740205a4171dd7b9b0ba89ed3f965a5b56391d582925408956f

  • SHA512

    ef1a9edd4f6db5c247744aeead2be9f8ca8ee3d931d0bc777ccb332f385840c0d51f6ea96f579a00703546aeef13109dc568479f2ae94616f584eacb8d3bc019

Score
10/10
xloaderb6a4loaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

b6a4

C2

http://www.helpmovingandstorage.com/b6a4/

Decoy

gr2future.com

asteroid.finance

skoba-plast.com

rnerfrfw5z3ki.net

thesmartroadtoretirement.com

avisdrummondhomes.com

banban365.net

profesyonelkampcadiri.net

royalloanhs.com

yulujy.com

xn--naqejahan-n3b.com

msalee.net

dollyvee.com

albertagamehawkersclub.com

cbspecialists.com

findingforeverrealty.com

mrtireshop.com

wadamasanari.com

growtechinfo.com

qipai039.com

Targets

    • Target

      Additional Order Qty 197.xlsx

    • Size

      587KB

    • MD5

      58722230e2588518dee806fe73c6948b

    • SHA1

      dcf0f2b354c48b17ce02fbb97a503b97fa581064

    • SHA256

      6c4a9d2d18a36740205a4171dd7b9b0ba89ed3f965a5b56391d582925408956f

    • SHA512

      ef1a9edd4f6db5c247744aeead2be9f8ca8ee3d931d0bc777ccb332f385840c0d51f6ea96f579a00703546aeef13109dc568479f2ae94616f584eacb8d3bc019

    Score
    10/10
    xloaderb6a4loaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks