General

  • Target

    MV DINA QUEEN.xlsx

  • Size

    362KB

  • Sample

    210924-kl4clsgdbp

  • MD5

    fbfc394ab56cdb94824a714d6df7bd85

  • SHA1

    1d83fbbee591cfba2e0a87f62b7678f93d2ae688

  • SHA256

    48d0ccf6fdb10d9f0d93f8f29bea21d517a7ab2c849c1dd3cb42e025ddf1b555

  • SHA512

    012c1471b6dac6796999d85b99b365d5e267f9d87a81dadf836b65cf83471edc8deeba446f0770d870ff8c975a9cfdec692b3f9a33bcec19e28e79f15be78dd5

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

arup

C2

http://www.sapphiretype.com/arup/

Decoy

mezonpezon.com

bellapbd.com

xn--2kr800ab2z.group

cupecoysuites.com

extractselect.com

cherrycooky.com

reshawna.com

bluewinetours.com

dez2fly.com

washedproductions.com

om-asahi-kasei-jp.com

talkingpoint.tours

avaspacecompany.com

fbtvmall.com

trocaoferta.com

mionegozio.com

reitschuetz.com

basepicks.com

networkagricity.com

kastore.club

Targets

    • Target

      MV DINA QUEEN.xlsx

    • Size

      362KB

    • MD5

      fbfc394ab56cdb94824a714d6df7bd85

    • SHA1

      1d83fbbee591cfba2e0a87f62b7678f93d2ae688

    • SHA256

      48d0ccf6fdb10d9f0d93f8f29bea21d517a7ab2c849c1dd3cb42e025ddf1b555

    • SHA512

      012c1471b6dac6796999d85b99b365d5e267f9d87a81dadf836b65cf83471edc8deeba446f0770d870ff8c975a9cfdec692b3f9a33bcec19e28e79f15be78dd5

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks