Overview

overview

10

Static

static

debit.xlsx

windows7_x64

10

debit.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    debit.xlsx

  • Size

    590KB

  • Sample

    210918-t4s42acchl

  • MD5

    c619f3739311f1dea34c1d0f4af2e6ff

  • SHA1

    da2b62c78132a091d139c000fe1b47a46233c2e7

  • SHA256

    8a0793b266dc3872fed04443f61c057e82c332081139106ddb72a6812e72ab02

  • SHA512

    d616f27317b333ac674bacbd87840fa8761c1af033ed49130381fe6feb8a3216e4bac0cb96779977757352965afb35d0d9ddc820831423178d8f3ac2fb820dcf

Score
10/10
xloaderuytfloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.4

Campaign

uytf

C2

http://www.fasilitatortoefl.com/uytf/

Decoy

estherestates.online

babyballetwigan.com

ignorantrough.xyz

moominmamalog.com

pasticcerialemmi.com

orangstyle.com

oldwaterfordfarm.com

aiiqiuwnsas.com

youindependents.com

runbank.net

phytolipshine.com

almedmedicalcenter.com

czxzsa.com

yummyblockparty.com

gadgetinfo.info

cloudfolderplayer.com

chowding.com

xn--tarzmbu-ufb.com

danielaasab.com

dreampropertiesluxury.com

Targets

    • Target

      debit.xlsx

    • Size

      590KB

    • MD5

      c619f3739311f1dea34c1d0f4af2e6ff

    • SHA1

      da2b62c78132a091d139c000fe1b47a46233c2e7

    • SHA256

      8a0793b266dc3872fed04443f61c057e82c332081139106ddb72a6812e72ab02

    • SHA512

      d616f27317b333ac674bacbd87840fa8761c1af033ed49130381fe6feb8a3216e4bac0cb96779977757352965afb35d0d9ddc820831423178d8f3ac2fb820dcf

    Score
    10/10
    xloaderuytfloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks